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Abstract 

Proof-carrying  code  (PCC),  as  pioneered  by  Necula  and  Lee,  allows  a  code  producer 
to  provide  a  compiled  program  to  a  host,  along  with  a  formal  proof  of  safety.  The  PCC- 
based  systems  often  rely  on  solving  integer  constraints  to  prove  the  soundness  of  the 
index  types  and  to  control  resource  consumption.  Unfortunately,  existing  approaches 
often  require  the  inclusion  of  an  oracle-like  constraints  solver  into  the  trusted  computing 
base  (TCB)  or  at  least  lock  the  safety  policy  with  one  particular  solver.  This  paper 
presents  a  feasibility  study  for  dissociating  the  constraints  solver  from  the  TCB  and  the 
safety  policy  from  the  actual  solver  algorithm.  To  demonstrate  this,  we  produce  a  simple 
framework,  we  show  how  to  adapt  the  popular  solvers  such  as  the  Omega  test  and  the 
Simplex  method  into  this  framework  and  we  study  some  of  its  properties. 
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1  Introduction 


In  proof-carrying  code  (PCC)  [8,  10],  a  code  producer  and  a  code  consumer  (host)  start  by 
agreeing  on  a  safety  policy.  This  policy  is  specified  as  a  set  of  axioms  for  reasoning  about 
safety.  The  code  producer  will  then  ship  a  compiled  program  to  the  consumer,  along  with 
a  formal  proof  of  its  safety.  Of  course,  the  formal  proof  must  be  expressed  in  term  of  those 
axioms.  Common  examples  of  such  policies  include  memory  soundness,  security,  CPU  time 
bounds  and  other  resource  control.  Someday,  banking  applets  will  presumably  comply  with 
money-transfer  soundness  policies. 

PCC  relies  on  the  same  formal  methods  as  does  program  verification;  but  it  has  the  sig¬ 
nificant  advantage  that  safety  properties  are  much  easier  to  prove  than  program  correctness. 
The  producer’s  formal  proof  will  not,  in  general,  prove  that  the  code  produces  a  correct  or 
meaningful  result;  but  it  guarantees  that  execution  of  the  code  can  do  no  harm.  Thus,  it 
cannot  replace  other  methods  of  program  assurance.  On  the  other  hand,  the  proofs  can  be 
mechanically  checked  by  the  host;  the  producer  need  not  be  trusted  at  all,  since  a  valid  proof 
is  incontrovertible  evidence  of  safety. 

Using  PCC  allows  to  remove  many  run-time  checks  without  sacrificing  safety.  For  example, 
the  Touchstone  compiler  [10]  can  prove  the  memory  safety  of  the  compiled  programs.  In 
other  words,  Touchstone-compiled  programs  can  be  trusted  to  run  on  devices  without  memory 
protection.  Recently,  Xi  [19,  17]  introduced  a  dependent  type  system  in  which  the  costly 
process  of  array  bounds  checking  can  be  removed — a  method  which  has  been  adapted  to  do 
so  in  a  provably  safe  way. 

CPU  time  bounding  [9,  5],  memory  soundness  [8,  7,  1],  and  array  bounds  checking  [19], 
all  require  some  kind  of  integer  constraints  handling.  So  does  automatic  parallelization  [14], 
And  so  do  presumably  many  unmentioned  processes.  To  be  more  specific,  they  require  solving 
a  set  of  integer  equality  or  inequality  equations  to  prove  the  soundness  of  the  index  types 
and  to  control  resource  consumption.  Unfortunately,  existing  approaches  either  include  the 
constraints  solver  into  the  trusted  computing  base  (e.g.,  Xi’s  DML  [17]  and  DTAL  [18]),  or  lock 
the  safety  policy  with  one  particular  solver  logic  (e.g.,  Necula’s  Simplex  solver  logic  [10,  9]). 

The  goal  of  this  work  is  to  study  the  feasibility  of  producing  a  generic  framework  where  the 
constraints  solver  does  not  have  to  be  in  the  TCB  and  the  safety  policy  is  independent  of  the 
actual  solver  algorithm.  This  is  important  because  it  would  allow  the  code  producer  to  choose 
the  constraints  solver  most  appropriate  to  a  particular  application.  The  producer  will  have 
much  more  flexibility  in  the  manner  in  which  the  mobile  code  is  proved  safe.  Furthermore, 
by  removing  the  solver  algorithm  or  the  specific  solver  logic  inference  rules  from  the  TCB,  we 
get  a  higher- assurance  system:  any  assumption  about  a  particular  solver  algorithm  must  be 
proved. 
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Background  and  motivation 


2.1  Solving  integer  constraints 

Trying  to  solve  all  integer  constraints  is  a  somewhat  ambitious  task.  As  a  matter  of  fact, 
this  would  mean  solving  Hilbert’s  tenth  problem  “  Determination  of  the  solvability  of  a  Dio- 
phantine  equation.  Given  a  diophantine  equation  with  any  number  of  unknown  quantities  and 
with  rational  integral  numerical  coefficients:  To  devise  a  process  according  to  which  it  can 
be  determined  by  a  finite  number  of  operations  whether  the  equation  is  solvable  in  rational 
integers.”  A  problem  which  has  been  showed  undecidable. 

Hence,  no  solver  handles  just  any  integer  constraints.  Most  of  them  only  handle  linear 
integer  constraints.  Some  of  them  contain  extensions  to  simple  families  of  polynomials.  We 
will  follow  the  wise  precedents  and  only  attack  linear  constraints,  for  now. 

Three  families  of  solvers  are  currently  used  : 

•  Fourier-Motzkin’s  variable  elimination  [6] 

•  SUP-INF  [3] 

•  The  Simplex  algorithm  [11] 

The  most  commonly  used  algorithm  is  the  Omega  test  [13],  a  variant  on  Fourier-Motzkin’s 
variable  elimination  [6].  Supposedly,  it  is  the  fastest  and  most  complete  algorithm  currently 
in  use.  For  now,  suffice  to  say  that  it  works  by  eliminating  trivial  equalities  and  inequalities, 
reducing  non-trivial  equalities  into  trivial  equalities  by  applying  a  variant  of  the  mod  operator, 
reducing  non-trivial  inequalities  into  trivial  equalities  by  projection  in  some  n-dimensional 
space  and  checking  exhaustively  for  solutions  when  the  formal  methods  do  not  work.  Since 
this  is  the  most  commonly  used  algorithm  and  this  it  is  definitely  non-trivial,  we  used  it  as  a 
basis  for  our  research. 

The  Simplex  algorithm,  noticeably  used  by  Necula  in  [Necula  1998],  is  a  much  simpler 
algorithms  which  proceeds  by  some  linear  algebra  transformations  on  the  matrix  representation 
of  the  constraints.  Since  this  algorithm  is  fairly  simple,  completely  different  from  the  Omega 
test,  and  since  Necula  has  already  made  some  steps  to  make  it  produce  proofs,  we  used  it  as 
a  confirmation  of  the  genericity  of  this  work. 
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2.2  Verifying  integer  constraints 

2.2.1  Dissociating  collection  and  verification 

The  first  approach  one  can  think  of  for  the  verification  of  integer  constraints-related  policies 
is  the  definition  of  a  source-level  semantic/logic.  In  other  words,  a  set  of  inference  rules  which 
would  be  applied  directly  to  the  source  code,  would  check  all  integer-related  operations  and 
decide,  for  example,  of  the  satisfiability  of  problematic  cases.  This  verification  could  take,  for 
example,  the  form  of  a  type-checking  algorithm. 

A  variant  of  this  approach  would  imply  the  translation  into  a  simpler  language,  say  some 
form  of  A-calculus,  which  would  allow  the  use  of  a  smaller  set  of  rules. 

The  shortcoming  of  this  method  is  in  its  definition  :  interleaved  collection  and  resolution 
of  integer  constraints  -  both  of  which  are  undecidable  problems  -  make  this  semantic  bigger, 
more  complex,  harder  to  maintain.  And,  of  course,  if  the  security  policy  is  to  change,  the 
whole  semantic  will  be  due  for  change. 

Dissociating  both  aspects  is  not  going  to  solve  anything  by  itself,  of  course.  But  it  allows 
to  work  on  both  aspects  separately,  and  to  find  separate  solutions.  For  example,  using  Xi’s 
dependent  type  system  [17]  or  an  annotation  system  for  the  collection  of  integer  constraints 
makes  it  possible  to  overcome  the  undecidability  of  constraints  collection. 


2.2.2  Dissociating  the  policy  from  the  constraints  checker 

The  logical  successor  of  the  former  approach  is  a  two-level  architecture  :  one  constraints 
collccter  and  one  policy  checker /prover.  However,  this  is  still  no  solution. 

Some  program  require  different  security  policies.  For  example,  two  different  optimizations 
such  as  array  bounds  checking  elimination  and  automatic  parallelization  may  not  be  proved 
valid  by  the  same  set  of  criteria.  A  program  taking  advantage  of  both  optimizations  will 
hence  be  collected  for  constraints  and  then  policy- checked/policy-proved  twice.  However,  both 
policies  rely  on  integer  constraints  verification.  In  other  words,  it  might  be  that  only  one  step 
of  both  policy  solver /checker  is  different. 

In  other  words,  the  size  of  the  proof  and  the  time  required  to  produce  and  then  check  it 
can  be  reduced  by  just  dissociating  the  policy  checker  and  the  constraints  solver.  For  example, 
the  Omega  Test  [13]  is  an  “as  generic  as  it  gets”  integer  constraints  solver. 
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2.2.3  Proving  the  result 


The  next  step  is  that  of  solving  the  constraints,  which  can  be  handled  by  classical  algorithms 
such  as  the  Omega  Test  or  the  Simplex  for  given  families  of  integer  constraints. 

This  is,  however,  not  the  last  step.  For  the  receiving  host  still  has  to  be  convinced  of  the 
(un) satisfiability  of  the  set  of  constraints. 

The  satisfiability  is  rather  trivial  to  prove,  since  it  only  requires  a  numerical  certificate.  In 
other  words,  a  numerical  example.  However,  the  unsatisfiability  is  a  much  harder  problem.  In 
practice,  when  the  enforcement  of  the  policy  requires  the  unsatisfiability  of  a  set  of  constraints, 
two  distinct  methods  are  used  to  check  that  the  security  policy  is  enforced. 

2. 2. 3.1  Solver  algorithm  in  TCB  The  first  solution  is  to  include  the  decision  algorithm 
in  the  trusted  computing  base.  In  other  words,  the  run-time  proof  checking  system  contains 
the  Omega  test,  for  example,  and  is  submitted  a  set  of  linear  equations  and  inequations,  which 
it  solves,  just  like  the  compiler  did.  The  method  seems  to  have  been  implicitly  used  by  Xi  [17]. 

This  method  is  not  without  advantages  : 

•  It  is  simple  to  implement. 

•  The  included  Omega  test  might  be  very  low  level  and  fast. 

•  Carried  proofs  can  be  very  short. 

However,  it  has  serious  drawbacks  : 

•  Since  the  whole  set  of  equations  and  inequations  is  solved  again,  it  requires  lots  of  possibly 
useless  calculations. 

•  The  algorithm  used  cannot  be  changed,  which  prevents,  for  example,  from  adding  the 
capability  of  solving  some  simple  kind  of  polynomial  constraints,  to  the  solver. 

•  The  TCB  must  be  expanded  with  a  possibly  complex  algorithm,  thus  increasing  the  risks 
of  bugs,  leading  to  unsoundness. 

•  If  the  run-time  system  has  to  be  ported  to  another  platform,  the  included  test  makes  it 
bigger,  hence  probably  harder  to  port. 

•  Since  no  integer  constraints  solving  algorithm  is  complete,  some  kinds  of  constraints 
cannot  be  checked  at  compile-time.  In  particular,  if  the  type  system  requires  these 
constraints,  as  is  the  case  with  dependent/indexed  type  systems  [17],  the  compiler  will 
flatly  refuse  perfectly  sound  programs. 
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2. 2. 3. 2  Solver-logic  in  TCB  Another  simple  idea,  introduced  by  Necnla  [10],  is  to  define 
a  set  of  deduction/inference  rules  encompassing  all  the  steps  in  the  algorithm  and  proving  the 
result  using  these  rules.  In  fact,  this  is  the  same  thing  as  introducing  a  new  logic  adapted  to 
the  solver. 

Once  again,  this  has  advantages: 

•  The  algorithm  does  not  need  to  be  included  in  the  TCB  as  such. 

•  Some  useless  calculations  can  be  removed  from  the  proof,  hence  resulting  in  faster  checks. 
However,  similar  drawbacks  can  be  found: 

•  The  TCB  is  still  expanded,  this  time  with  a  specific  logical  system,  which  is  almost  as 
hard  to  trust  as  the  algorithm  itself. 

•  The  system  is  still  locked  with  a  particular  algorithm  and  minor  variations  on  this  al¬ 
gorithm.  This  approach  still  prevents  some  optimizations  and  still  refuses  some  sound 
programs. 

3  Solver2FOL 

3.1  Presentation 

One  of  the  next  logical  steps  of  modularization  in  the  verification  of  integer  constraints  is  that 
of  rendering  the  algorithm  independent  from  the  proof.  That  of  getting  rid  of  the  limits  of  the 
approaches  previously  exposed. 

Solver2FOL  is  a  small  contribution  to  this  task:  a  study  of  the  feasibility  of  this  dissociation. 
Although  this  work  is  no  way  related  to  the  semantic  model  for  PCC  introduced  by  Appel 
and  Felty  [1],  it  can  be  seen  as  a  complementary  module:  where  Appel  and  Felty  introduce 
a  semantic  model  to  describe  types  and  machine  instructions,  in  order  to  achieve  language 
independence  in  PCC,  we  introduce  a  model  to  describe  constraints  solvers,  in  order  to  achieve 
algorithm  independence  in  PCC. 

Solver2FOL  is  a  set  of  tools  designed  to  allow  the  translation  of  integer  constraints  solving 
algorithms  into  algorithms  building  First  Order  Logic  (FOL)  proofs.  It  is  composed  of  : 

•  A  syntax  to  express  constraints. 

•  A  minimal  semantics  on  the  constraints. 

•  A  minimal  list  of  trusted  operations. 


•  A  collection  of  formal  definitions  to  enrich  the  constraints  using  usual  comparisons  and 
operations. 

•  A  collection  of  basic  theorems,  all  of  them  formally  proved,  which  prove  the  use  of  these 
enrichments  valid. 

•  A  collection  of  general-purpose  lemmas,  formally  proved  using  these  theorems. 

In  addition,  we  provide  as  an  example  0mega2F0L  and  Simplex2FOL,  formally  proved 
“Solver2F0L-izations”  of  the  Omega  test  and  of  the  Simplex. 

3. 1.0.3  FOL  vs.  set  of  rules  First  Order  Logic  was  chosen  instead  of  a  custom  set  of 
rules  since  First  Order  Logic  allows  to  express  the  kind  of  rules  such  a  work  would  need  as  a 
set  of  axioms.  Using  a  custom  set  of  rules  would  provide  shorter  proofs  but  would  not  allow 
ns  to  use  the  full  power  of  First  Order  Logic.  LInless,  of  course,  we  want  to  reexpress  FOL  into 
this  set  of  rules. 

And  of  course,  using  a  custom  set  of  rules  is  the  first  step  toward  defining  and  locking  the 
algorithm  by  the  mere  description  of  the  proof  system  -  which  is  exactly  what  we  want  to 
avoid.  FOL  allows  us  to  ignore  this  pitfall. 

3. 1.0.4  FOL  vs.  HOL  First  Order  Logic  was  chosen  because  FOL  rules  and  axioms  tend 
to  be  simpler  and  more  readable  than  true  Higher  Order  Logics.  However,  we  will  show  that 
this  approach  has  several  drawbacks. 

3. 1.0. 5  Formalism  Solver2FOL  redefines  most  operations  on  Z  using  formal  notations. 
This  redefinition  allows  ns  to  produce  purely  formal  proofs  of  lemmas  and  theorems.  In  time, 
these  purely  formal  proofs  may  be  shipped  and  mechanically  verified  by  a  theorem  checker. 

3.2  Constructs 

3.2.1  Grammar 

Figure  1  gives  the  grammar  for  Solver2FOL.  Tests  are  to  be  talen  as  First  Order  Logic  terms. 

This  grammar  is  chosen  as  to  make  the  basic  set  of  axioms  be  as  minimal  as  possible.  In 
particular,  the  grammar  does  not  contain  inequalities  or  division — all  these  can  be  built  on 
top  of  this  skeleton. 

This  grammar  is  also  designed  to  be  fairly  generic,  so  it  can  express  the  expressions  as  seen 
by  the  solver  algorithm.  For  example,  the  Omega  test  mostly  works  with  expressions  of  form 
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Test 


Term  ~  Term 


(term  comparison) 


T  erm 


Va  r  <G  V 
Int  G  mathbbZ 
T  erm  ©  T  erm 
T  erm  ©  T  erm 


(unknown  variable) 
(integer  constant) 
(term  addition) 

(term  multiplication) 


Where  V  is  a  countable  infinite  set. 


Figure  1:  Grammar  for  Solver2F0L 


“Term  ©  0”  along  sometimes  with  “a  ©  z  ■<  a”  and  u/3  ©  b  ©  z”,  whereas  the  Simplex  only 
uses  “T erm  ©  0”  and  “T erm  ~  T erm ” . 

These  design  decisions  allow  the  translated  Solver2FOL  algorithm  to  use  the  exact  same  set 
of  conditions  as  the  original  algorithm  as  well  as  to  reflect  directly  its  inner  workings.  The  other 
reasons  for  our  choice  are  to  serve  as  a  place-holder  for  future  extensions  on  polynomials  and 
to  pave  the  way  to  render  the  translation  from  an  algorithm  into  Solver2FOL  semi-automatic. 

3.2.2  Semantics 
3. 2. 2.1  Constants 


Comparisons  on  constants  Classical  comparisons  on  Z  such  as  <,  <,  =,  >,  >  and  j 
are  supposed  to  be  already  implemented  and  trusted.  This  represents  the  fact  that  all  those 
operations  are  already  part  of  the  CPU,  hence  already  trusted  in  order  to  run  the  proof-checking 
system. 


Operations  on  constants  Classical  operations  on  Z  such  as  addition,  multiplication, 
floor  division  ( |_-J ) ,  ceil  division  ([-]),  modulo  and  absolute  value  are  supposed  to  be  already 
implemented  and  “mostly  trusted”.  This  represents  the  fact  that  all  those  operations  are 
already  part  of  the  CPU,  hence  already  trusted  in  order  to  run  the  proof-checking  system  - 
but  that  exceptions  can  occur. 

“Mostly  trusted”  means  that  operations  are  trusted  as  long  as  no  exceptions  are  thrown 
(division  by  zero,  overflow,  underflow).  The  semantics  of  exceptions  in  Solver2FOL  is  that  if 
any  exception  should  be  raised,  then  the  whole  proof  is  considered  false.  Although  this  is  not 
a  fully  satisfactory  arrangement,  it  is  not  incoherent  :  if  a  proof  contains  such  an  exception,  it 
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probably  means  that  the  prover  forgot  to  catch  the  same  exception.  However,  this  might  not 
be  true  in  case  of  cross-platform  proof-building. 

3. 2. 2. 2  Variables 


Operations  on  variables  Although  most  of  the  times  integer  constants  will  not  be 
effectively  substituted  to  variables,  the  semantics  of  Solver2FOL  is  designed  for  “constant 
place-holders”  -variables. 

In  other  words,  variables  stand  for  unknown  constants. 

3. 2. 2. 3  Terms 


Definition  Terms  are  members  of  set  T  defined  by  the  grammar  of  Solver2FOL.  Terms 
can  be  considered  as  an  extension  of  integers  with  integer  variables.  For  the  sake  of  simplicity, 
we  will  consider  T  as  a  superset  of  Z. 


Comparisons  on  terms  Classical  comparisons  on  Z  such  as  <,  <,  =,  >,  >  and  j  can 
be  extended  to  terms.  However,  the  only  needed  comparison  is  the  equality  law  «,  defined  by 

~  is  an  equivalence  law  on 
T 

~  is  compatible  with  =  on 
Z 


Operations  on  terms  Classical  operations  on  Z  such  as  addition,  multiplication,  divi¬ 
sion  ([-J)  can  be  extended  to  terms.  However,  the  only  needed  operations  are  addition  ©  and 
multiplication  ©,  defined  by 

©  is  an  internal  composition  law  on 
T 

©  is  commutative,  associative,  dis¬ 
tributive  on  © 

0  is  neutral  for  © 

,  ©|Z  =def  + 
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(8)  is  an  internal  composition  law  on 
T 

8)  is  commutative,  associative 
0  is  absorbant  for  8 
1  is  neutral  for  8 

,  ®|Z  =def  ■ 

3.3  Definitions  as  axioms 

3.3.1  First  generation 

3. 3. 1.1  Syntactical  conventions 

•  Operators  on  T  have  the  same  precedence  as  their  counterparts  in  Z. 

•  In  case  of  ambiguity,  all  operations  are  supposed  left-parenthesized. 

•  X  ©  Y  is  a  syntactical  shortcut  for  X  ©  ((—1)  8  Y) 

•  lowercase  letters  stand  for  integers  constants 

•  uppercase  letters  stand  for  expressions 

3.3. 1.2  Presentation  The  basic  axioms  are  presented  in  Figure  2.  They  are  translations 
of  the  semantics  of  the  basic  constructs  of  Solver2FOL. 


3.3.2  Second  generation 

3.3. 2.1  Definition  Operators  .\.  and  .%.  are  the  respective  counterparts  of  L1]  and  .  mod  . 
on  T.  Binary  relations  ||,  ■<,  -<,  >-,  >:  are  the  respective  counterparts  of  |,  <,  <,  >,  >.  They 
are  defined  by  : 
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Equality 

VX 

X  «  X 

(eqn  ref) 

VX,  Y 

x  w  Y  =>  Y  «  X 

(eqn  sym) 

VX,  V,  Z 

X  «  Y  A  Y  «  Z  =>  X  «  Y 

(eqn  trans) 

Va,  b 

a  &  b  =>  a  =  b 

(equ  on  Z) 

VX 

3a,  X  ps  a 

(equ  int) 

Addition 

VX 

A"  ©  0  «  X 

(add  0) 

VX,  Y 

X  ©  Y  «  Y  ©  X 

(add  comm) 

VX,  Y,  Y 

X  ©  (Y  ©  Y)  «  (X  ©  Y)  ©  Y 

(add  assoc) 

VX,  1",  Z 

XrjY  =yX©YsiY©Y 

(add  eq) 

Va,  b 

a  ©  6  rj  a  +  6 

(add  on  Z) 

Multiplication 

VX 

0  ©  X  R!  0 

(mult  0) 

VX 

1®Xr  X 

(mult  1) 

VX,  Y 

X  ©  Y  «  Y  ©  X 

(mult  comm) 

VX,  Y,  Z 

X  ©  (Y  ©  Y)  «  (X  ©  Y)  ©  Y 

(mult  assoc) 

VX,  Y,  Z 

(X  ©  Y)  ©  Y  «  (X  ©  Y)  ©  (Y  ©  Y) 

(add/mult  dis 

VX,  Y,  Z 

X  «Y=^X©YrY©Y 

(mult  eq) 

Va,  b 

a  ©  b  Ri  a  •  b 

(mult  on  Z) 

Figure  2:  Basic  axioms  for  Solver2FOL 


X\a  ~  Y  iff  for  some  b  in  [0,  a  —  1],X  rj 
a  ©  Y  ©  b 

X%a  r*  b  iff  b  is  in  [0,  a  —  1]  and  for  some  Y, 
X  rs  a  ©  Y  ©  b 
a  ||  X  iff  X%a  «  0 

X  A  Y  iff  for  some  non- negative  b,  Y  rs  X©6 
X  -<  Y  iff  for  some  strictly  positive  b,  Y  « 
X©6 

X  Y  Y  iff  for  some  non- negative  b,  X  r;  Y©6 
X  Y  Y  iff  for  some  strictly  positive  b,  X  « 
k  Y  ©  6 


3. 3. 2. 2  Axiomatization  The  axiomatization  of  these  operators  and  relations  is  immedi¬ 
ate.  It  is  presented  on  figure  3. 
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Definition  of  operators 


VX,  Y,  a 

X\a  «  Y  =def  3b, 

0<bAb<aAX^a®Y(Bb 

(dodiv) 

VX,  a,  b 

X%a  «  b  =def  3  Y, 

0<6A6<aAXftia®y©6 

(mod) 

Definition  of  relations 

VX,  a 

a  |  X  =def  X%a  ~  0 

(isdiv) 

VX,  1" 

X  V  1"  =def  3b,0<bAY  «  X©6 

(leq) 

VX,  Y 

X  -<  1"  =def  3b,  1  <  b  A  Y  «  X  ©  b 

(It) 

VX,  1" 

X  h  Y  =def  3b,  0  <  b  A  X  «  Y  ©  b 

(geq) 

VX,  Y 

X  y  Y  =def  3b,  1  <  b  A  X  «  Y  ©  b 

(gt) 

Figure  3:  The  second  wave  of  definitions 


3.4  Basic  theorems 

The  following  set  of  theorems  will  prove  that  the  newly  introduced  operators  are  what  they 
seem  -  namely  that  they  can  be  used  as  their  integer  counterparts.  Purely  formal  proofs  are 
given  in  appendix. 

Basic  theorem  1  (dodiv  on  Z)  The  definition  of  .\.  is  compatible  with  |_'J  on  Z.  In  other 
words,  for  any  integers  a,  b,  a\b  ~  |_f  J  • 

Basic  theorem  2  (mod  onZ)  The  definition  of .%.  is  compatible  with  .  mod  .  on  Z.  In  other 
words,  for  any  integers  a,  b,  a%b  ~  a  mod  b. 

Basic  theorem  3  (isdiv  on  Z)  The  definition  of  ||  is  compatible  with  \  on  Z.  In  other  words, 
for  any  integers  a,  b,  a  ||  b  •<=>■  a\b 

Basic  theorem  4  (leg  on  Z)  The  definition  of  Y  is  compatible  with  >  on  Z.  In  other  words, 
for  any  integers  a,  b,  a  Y  b  a  >  b 

Basic  theorem  5  Y  defines  a  partial  order  on  T .  In  other  words, 

(  VX  X  Y  X  ( geq  ref) 

l  VX,y  X  YY  AY  Y  X  =>  X  zeY  [geq  antis) 

{  VX,  Y,  Z  XYYAYtZ=>XtZ  ( geq  trans ) 
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Basic  theorem  6  (gt  on  Z)  The  definition  of  Y  is  compatible  with  >  on  Z.  In  other  words, 
for  any  integers  a,  b,  a  Y  b  -<=b  a  >  b 

Basic  theorem  7  (It  on  Z)  The  definition  of  Y  is  compatible  with  <  on  Z.  In  other  words, 
for  any  integers  a,  b,  a  Y  b  -4=b  a  <  b 

Basic  theorem  8  (leq  on  Z)  The  definition  of  Y  is  compatible  with  <  on  Z.  In  other  words, 
for  any  integers  a,  b,  a  Y  b  <=>  a  <  b 

Basic  theorem  9  Y  defines  a  partial  order  on  T.  In  other  words, 

(  MX  X  Y  X  ( leq  ref) 

<  MX,Y  X  Y  Y  AY  Y  X  =b  X  «  Y  [leq  antis) 

{  MX,  Y,  Z  X  YY  AY  YZ^XYZ  ( leq  trans) 

Basic  theorem  10  (leq  equiv  geq)  Y  and  Y  are  each  other’s  symmetric.  In  other  words, 
b  X  Y  Y  Y  Y  X. 

Basic  theorem  11  (It  equiv  gt)  Y  and  >-  are  each  other’s  symmetric.  In  other  words,  b  X  -< 
Y  Y  >-  X. 

Basic  theorem  12  (It  as  leq)  Y=Y  U  In  other  words,  b  X  Y  Y  4=^  (. X  -<  YM X  «  Y). 
Basic  theorem  13  (gt  as  geq)  Y=y  U  In  other  words,  b  X  Y  Y  (A"  b-  YM X  «  Y). 

Basic  theorem  14  (eq  as  ineq)  Y  n  >:=~.  In  other  words,  X  Y  Y  A  X  Y  Y  b  X  Y. 

Basic  theorem  15  (absurd  ineq)  Y  D  >-=  0.  In  other  words,  X  -<  Y  A  X  b-  Y  b_L. 

3.5  General-purpose  lemmas 

Formal  proofs  are  given  in  appendix. 

Main  lemma  1  (opp  add)  Opposite  addition  is  provable  using  Solver2FOL.  In  other  words, 
b  Y  ©  Y  «  0 

Main  lemma  2  (add  eq2)  A  second  formulation  for  addition  on  each  side  of  an  equality  can 
be  proved  using  Solver2FOL.  In  other  words,  X^Y\~Z®X^Z®Y 
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Main  lemma  3  (mult  eq2)  A  second  formulation  for  addition  on  each  side  of  an  equality  can 
be  proved  using  Solver2FOL.  In  other  words,  X&Y\-Z®XpzZ<g)  Y 

Main  lemma  4  (add  eqS)  General  addition  on  both  side  of  the  equality  sign  can  be  proved 
using  Solver2FOL.  In  other  words,  X^Y/\Z^T\-X®Z^Y®T 


Main  lemma  5  Substruction  in  equality  (sub  equ)  is  provable  using  Solver2FOL.  In  other 
words, 

f  X  ©  Y  «  Z  b  X  «  Z  ©  Y 

1  z&xeYh zeY^x 


Main  lemma  6  (sub  ineq)  Substruction  in  an  inequality  is  provable  with  Solver2FOL.  In  other 
words, 

X@Y Y  Z  h  X  Y  Z  QY 


Main  lemma  7  (mult  sum)  The  propagation  of  multiplication  in  a  sum  is  provable  with 
Solver2FOL.  In  other  words, 


b  P®  YiaXi  ps  E ieIp  ©  Xi 


Main  lemma  8  (var  isol)  The  isolation  against  a  variable  in  a  sum  is  provable  with  Solver2FOL. 
In  other  words,  for  any  j  in  I, 


b  Eje/Xj  ps  (YieI \{j}Xi)  ©  Xj 

Main  lemma  9  (var  resol)  The  resolution  against  a  variable  of  an  equality  between  a  sum 
and  a  constant  is  provable  in  Solver2FOL.  In  other  words,  for  any  k  in  I, 

YieIXi  ps  c  b  Xk  ps  c  ®  Sie/\{fc}©Xi 
Main  lemma  10  (0  add2)  b  X  a;  X  ©  0 

Main  lemma  11  (div  sum)  The  propagation  of.\p  in  a  sum  where  all  elements  are  divisible  by 
p  is  provable  using  Solver2FOL.  In  other  words,  ifp\ai,p\a2,  ■  ■ .  p\an  then  b  ~ 

Sie[i>B]  rf  ©  Xi 

Main  lemma  12  (mult  ineq)  Multiplication  in  inequality  is  provable  using  Solver2FOL.  In 
other  words, 

X  YY  AO  ■<  Z  b  Z  ©  X  Y  Z  ®Y 
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3.6  Summary 


Once  this  set  of  theorems  and  lemmas  is  proved,  we  have  a  full  syntax  and  its  associated 
semantics  to  handle  formal  expressions.  Note  that  as  opposed  to  Xi’s  approach,  for  example, 
quantifiers  are  not  handled  by  Solver2FOL  -  they  don’t  need  to,  since  they  are  already  handled 
by  First  Order  Logic. 

Also  note  that  the  trusted  computing  base  is  very  small:  it  consists  of  classical  integer 
operations  and  very  few  (and  very  basic)  properties  of  ®  and  ©.  Thus,  complex  proofs  can  be 
traced  back  to  a  base  of  axioms  which  can  easily  be  checked  and  trusted. 


4  The  Omega  test 

4.1  The  original  algorithm 

The  input  of  the  Omega  test  is  a  set  of  linear  equalities  and  linear  inequalities  involving  only 
integer  values.  All  the  conditions  are  supposed  to  have  form  E*="ai  •  Xi  <  c  or  •  ay  =  c. 

4. 1.0. 3  Removing  equality  constraints 

•  Equalities  of  the  form  E ■  Xi  =  c  are  divided  by  the  greatest  common  divisor  of 

•  •  •  5  •  If  this  leads  to  a  formula  with  non-integer  values,  the  test  has  failed  and  the 

system  is  unsatisfiable. 

•  If  two  equalities  are  visibly  incompatible,  the  set  is  unsatisfiable. 

•  If  one  of  the  equalities  contains  a  variable  with  coefficient  1  or  -1,  remove  this  equality 
and  eliminate  the  variable. 

•  Otherwise,  choose  one  equality  E •  Xi  —  c  and  replace  it  with  —  (a*,  •  Xk\  ■  <r  + 

cLi/m  +  1/2J  +  difim)  ■  x^  where  a/ib  =def  a  —  b  ■  [a/b  +  1/2J  and  m  ■  a  =def 
E lZi(aiHm )  ■  Xi  =  c 

•  Proceed  until  there  are  no  more  equality  constraints. 

4. 1.0. 4  Removing  inequality  constraints 

•  Inequalities  of  the  form  E ■  Xi  <  c  are  divided  by  the  greatest  common  divisor  of 
ai , ,an,  rounding  down  c/g. 

•  If  inequalities  can  be  merged  into  equalities,  merge  them. 

•  If  two  inequalities  are  redundant,  remove  the  weakest  one. 
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•  If  inequalities  are  visibly  incompatible,  the  set  is  unsatisfiable. 

•  If  there  are  no  more  equalities  and  if  there  is  a  variable  without  upper  bound  or  without 
lower  bound,  remove  all  the  inequations  involving  this  variable. 

•  Compute  the  real  shadow  of  the  set  of  inequalities  along  z  by  merging  two  constraints 
such  as  a  ■  z  <  a  and  (3  <  b  ■  z  into  constraint  a  ■  (3  <  b  ■  a,  where  a  and  b  are  positive 
integers. 

•  Compute  the  integer  shadow  of  the  set  of  inequalities  along  z  by  merging  the  two  same 
constraints  into  b  ■  a  —  a  ■  (3  >  (a  —  1)  •  (b  —  1). 

•  If  both  shadows  are  identical,  the  system  is  satisfiable  iff  there  are  integer  solutions  to 
the  (common)  shadow 

•  otherwise 

—  if  there  are  no  integer  solutions  to  the  real  shadow,  the  set  is  unsatisfiable 

—  if  there  are  integer  solutions  to  the  integer  shadow,  the  set  is  satisfiable 

—  otherwise 

*  determine  the  largest  coefficient  a  of  z  in  any  upper  bound  a  >  az  on  z  and 
for  each  lower  bound  bz  >  (3  on  z,  for  each  i  in  [0,  ( ab  —  a  —  b)/ a]  do  solve  the 
problem  combined  with  bz  —  (3  +  % 

—  Proceed  until  there  is  at  most  one  inequality.  If  this  happens  the  system  is  satisfi¬ 
able.  Otherwise,  it  is  not. 

4.2  Omega2FOL 

Let  us  consider  a  reduced  version  Omega’  of  the  known  Omega  test.  This  Omega’  is  a  subset 

of  the  Omega  test  where  two  optimizations  have  been  remove  for  the  sake  of  simplicity.  These 

optimizations  are  not  required  to  run  the  Omega  test  : 

Coefficients  reduction  We  have  not  tried  to  prove  this  step  yet.  However,  our  work  so  far 
seems  to  indicate  that  this  step  will  require  a  more  complete  work  on  the  Omega  test, 
including  completeness  studies. 

Fusion  of  opposite  inequalities  This  step  is  trivial  but  meaningless  without  coefficients 
reduction. 

Construct  1  There  exists  an  algorithm  Omega2FOL  based  on  Solver2FOL  which  : 

•  can  solve  the  same  set  of  constraints  as  Omega  ’. 

•  instead  of  Y es/N o,  returns  proofs  of  unsatisfiability  whenever  Omega  ’  decides  that 
the  set  is  unsatisfiable. 
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4. 2. 0.5  Steps  All  these  steps  have  been  formally  proved  using  Solver2FOL.  Proofs  are 
presented  in  annex. 

Algorithm  step  1  “Equality  normalization”  is  provable  using  Solver2FOL.  In  other  words, 
ifp\ai,p\a2,...p\an  then  8  A*  «  c  b  Eie[ljn]^  8  Ah  «  |JJ 

Algorithm  step  2  “Unsatisfiable  equality”  is  provable  using  Solver2FOL.  In  other  words, 

p\ai  A  p\a2  A  ...  A  p\an  A  £*1™ a*  (8)  Ah  «  c  h  p|c 

Algorithm  step  3  “Inequality  tightening ”  is  provable  using  Solver2FOL.  In  other  words,  if 
p\ai,p\a2,  •  • .  p\an,  then 

£je/a*  8  Xi  A  c  h  -  8)  Xi  A  [— J 

p  p 

Algorithm  step  4  “Real  shadow”  can  be  proved  using  Solver2FOL.  In  other  words,  if  1  <  a, 
1  <  b  then 

Algorithm  step  5  “Exhaustive  check ”  can  be  proved  using  Solver2FOL.  In  other  words,  if 
1  <  a  A  1  <  6,  (a  —  1)  •  (6  —  1)  b  ®  A  Q  a  ®  B  A  a  ®  l;  <  A  A  B  <  b  (&  £  \~  3i,  0  <  i  A  i  ■  a  < 
(a  ■  b  —  a  —  b)  Ab  8  £  B  ®i 

Corollaries  : 

•  Omega’  was  proved. 

•  We  can  produce  Omega2FOL. 

4. 2. 0.6  Informal  listing  of  Omega2FOL  For  the  sake  of  readability,  this  listing  is  an 

informal  presentation  of  the  decision  procedure.  For  example,  it  does  not  detail  the  instantia¬ 
tion  of  each  lemma,  nor  does  it  explicitly  show  that  it  tries  to  simplify  the  handled  equations 
at  each  step,  by  turning  multiplication  by  0  into  0,  by  removing  addition  of  0,  etc... 

Also  note  that  this  algorithm  returns  a  formal  proof  where  Omega’  would  have  returned 
No  and  Maybe  where  Omega’  would  have  returned  Yes.  This  seemed  more  appropriate  in 
absence  of  any  completeness  study  on  Omega’. 

Removing  equality  constraints 

If  there  is  at  least  one  unnormalized  equality  left  £ 
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Normalize 

Call  Omega2FOL  with  a  system  containing  the  normalized  equality  T  instead  of  the 
unnormalized  one. 

If  the  test  returns  Maybe,  return  Maybe 
Otherwise,  if  the  test  returns  proof  P 

Return  the  composition  of  proof  h  £  =>■  T  (built  by  lemma  “Equality  normaliza¬ 
tion”)  and  P 

If  we  can  find  an  unsatisfiablc  equality  £ 

Return  lemma  “Unsatishable  equality”  applied  to  £ 

If  we  can  find  two  contradictory  equalities  A  and  B 
Return  lemma  “eq  trans”  applied  to  A  and  B 
If  there  is  one  equality  £  which  involves  a  variable  £  with  coefficient  1 
Remove  one  variable 

Let  be  the  set  of  equations  and  inequations.  Call  Omega2FOL  with  a  system 

containing  (jF')j,  the  set  of  all  equalities/inequalities  in  which  the  formal  value 
associated  to  £  has  been  substituted  to  £  itself. 

If  the  test  returns  Maybe,  return  Maybe. 

Otherwise,  if  the  test  returns  proof  P 

Return  the  composition  of  the  proof  of  the  formal  value  of  £  (built  by  lemma 
“variable  resolution”),  the  proofs  h  T%  =>  T[  (built  by  lemma  “variable  isolation 
in  a  sum”  and  lemma  “add  eq2” )  and  P. 

If  there  is  one  equality  £  which  involves  a  variable  with  coefficient  -1 

Remove  one  variable 

Call  Omega2FOL  with  a  system  containing  the  opposed  equality  T  in  which  the  -1  has 
been  fully  propagated. 

If  the  test  returns  Maybe,  return  Maybe 
Otherwise,  if  the  test  returns  proof  P 

Return  the  composition  of  proof  h  £  T  (built  by  lemma  “eq  mult”  and  lemma 
“sum  mult”)  and  P 

Otherwise,  if  there  is  still  at  least  one  equality,  let  X  ps  c  be  one  of  the  equalities  left 

Call  Omega2FOL  with  a  system  containing  X  <  c  and  c  >z  X  instead  of  A"  «  c 
If  the  test  returns  Maybe,  return  Maybe 
Otherwise,  if  the  test  returns  proof  P 
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Return  the  composition  of  proof  (built  by  lemma  “eq 

as  ineq”)  and  P 

Removing  inequality  constraints 

If  we  can  find  two  redundant  constraints 

Call  0mega2F0L  with  a  system  containing  all  the  constraints  minus  the  weakest  of  the 
two  redundant  constraints.  Return  the  result. 

If  we  can  find  two  contradictory  inequalities  A  and  B 

Return  lemma  'ieq  trans”  applied  to  A  and  B 

If  there  are  no  more  equalities  and  if  we  can  find  a  variable  without  upper  bound  or  without 
lower  bound. 

Call  Omega2FOL  with  a  system  containing  only  comparisons  which  do  not  involve  this 
variable.  Return  the  result. 

If  there  is  a  variable  (,  along  with  one  lower  bound  condition  B  A  b®(  and  one  upper  bound 
condition  a®  (  <  A  such  as  a  =  1  and  1  <  b  or  b  —  1  and  1  <  a. 

Both  shadows  are  identical 

Call  Omega2FOL  with  a  system  containing  a®  B  A  b  ®  A  instead  of  both  conditions 
If  the  test  returns  Maybe ,  return  Maybe 
Otherwise,  if  the  test  returns  proof  P 

Return  the  composition  of  proof  \~  B  ®b®(Aa®(  <  A  =>■  a  ®  B  A  b®  A  (built 
by  lemma  “Real  shadow”)  and  P 

If  there  is  a  variable  (,  along  with  one  lower  bound  condition  B  A  b®(  and  one  upper  bound 
condition  a®  (  A  A  (a,  b  e  N*).  Ideally,  choose  the  largest  a  and  b  available. 

Shadows  are  not  identical 

Call  Omega2FOL  with  a  system  containing  a®  B  A  b  ®  A  instead  of  both  conditions 
If  the  test  returns  Maybe 

Call  Omega2FOL  with  a  system  containing  (a  —  1)  •  (6  —  1)  A  b®  A®a®  B  instead 
of  both  conditions 

If  the  test  returns  Maybe ,  return  Maybe 
Otherwise,  if  the  test  returns  proof  P 

Try  all  possibilities 

for  each  i  in  [0,  do 

Call  Omega2FOL  with  a  system  containing  b  ®  (  «  B  ©  i  instead  of 
B  A  b®  ( 
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If  the  test  returns  M aybe ,  return  Maybe 
Otherwise,  let  Pt  be  the  proof  returned  by  the  test 
Return  the  composition  of  (Pi)i  and  lemma  “Exhaustive  check”  composed 
itself  with  P 
return  the  proof 

Otherwise,  if  the  test  returns  proof  P 

Return  the  composition  of  P  and  lemma  “Real  shadow” 

If  there  is  only  one  condition  left,  and  if  it  is  an  inequality  involving  a  variable,  return  Maybe 

4.3  An  example 

Consider  the  system 

0 
0 

-1 

Y  «  0  A  A"  ©  Y  «  0  A  X  r<  -1 

If  we  ignore  the  omnipresent  “eq  trans”  axiom  (transitivity  of  equality),  the  resolution  will 
look  like  figure  4 


'  XQY  « 

x@y  « 
x  © 

S  =def  A  © 


5  Simplex 

The  Simplex  algorithm  is  a  well  known  integer  constraints  solving  algorithm.  Noticeably,  it 
has  been  used  by  Necula  and  Lee  [10]  in  order  to  produce  proofs  in  the  Touchstone  compiler. 

Using  Necula’s  work,  the  Simplex  can  be  seen  as  a  decision  procedure  building  proofs  using 
9  simple  logical  rules  :  the  Simplex-logic  rules,  presented  on  figure  5.  Of  these  rules,  geqgeq, 
gtgeq,  leqgeq,  Itgeq,  eqgeq,  geqO  are  already  axioms  or  lemma  of  Solver2FOL  and  the  three  other 
ones  can  be  very  easily  translated  to  Solver2FOL. 

Construct  2  There  exists  an  algorithm  Simplex2FOL  based  on  Solver2FOL  which  : 

•  can  solve  the  same  set  of  constraints  as  the  Simplex. 

•  instead  of  Yes /No,  returns  proofs  of  unsatisfiability  whenever  the  Simplex  decides 
that  the  set  is  unsatisfiable. 
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X  ©  Y  fts  0  is  an  equality  involving  variable  X  with  coefficient  1 
Resolution  of  the  equality  against  X 

Y  (proved  by  lemma  “variable  resolution” ) 
Introduction  of  the  value  of  X  into  X  ©  Y  «  0 
S  b  Y  ©  X  «  0  (proved  by  lemma  “variable  isolation” ) 

5hh  ©  Y  ~  0  (proved  by  axiom  “add  eq” ) 

Introduction  of  the  value  of  X  into  A"  ©  —1 
S  b  Y  ©  —  1  (proved  by  “eq  as  ineq”) 

Factorization  of  Y  ©  Y  fts  0 

S  b  1  ©  Y  ©  Y  fa  0  (proved  by  “add  eq”  and  “mult  1” ) 

S  b  1  ©  Y  ©  1  ©  Y  «  0  (proved  by  “add  eq”  and  “mult  1”) 

S  b  2  ©  Y  «  0  (proved  by  “mult/add  dist”) 

Equality  normalization  of  2  ©  Y  ~  0 
5  h  F  ft!  0  (proved  by  “equality  normalization” ) 

Y  ~  0  is  an  equality  involving  variable  Y  with  coefficient  1 
Resolution  of  the  equality  against  Y 
S  b  Y  «  0  (already  proved) 

Introduction  of  the  value  of  Y  into  1'  I  -1 
S  b  0  A  —  1  (proved  by  “eq  as  ineq”) 
tSbO©— lisa  constraint  without  any  variables. 

S  b  0  <  —  1  (proved  by  “leq  on  Z”) 

5  bffi 

Figure  4:  Example  of  a  resolution  using  Omega2FOL  (outline) 
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\~XYy 
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h  0  h  0 
hFhO  m®  X 

h_L 

b  a  ®  {X  ©  Y)  ft 
b  b  ©  (Y  ©  X)  r 
b  a  >  0 


geqadd 

n  ©  Y  m  >  0  —  1  —  n  >  0  „  ,  . 

-  falsei 


©Z 

©T 


b  ©  y  o 
b  T  y  o 
b  >  o 


b  X  «  Y 


eqi 


Figure  5:  Simplex-logic  rules 
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Corollary  : 


Construct  3  Solver2FOL ’s  logic  is  complete  with  respect  to  linear  integer  constraints. 

The  proof  is  straightforward  :  Solver2FOL’s  logic  can  express  Simplex2FOL’s  results,  Sim- 
plex2F0L  can  produce  results  for  the  same  set  of  constraints  as  the  Simplex,  Simplex  is 
complete  with  respect  to  linear  integer  constraints. 

In  order  to  build  Solver2F0L  proofs  using  the  Simplex,  the  only  things  one  has  to  do  is  : 

•  keep  the  core  of  the  Simplex  decision  procedure 

•  modify  the  proof-generating  components  so  as  to  compose  proofs  using  either  modus 
ponens  on  Solver2FOL  lemmas  or  lemma  composition  of  Solver2FOL  lemmas  instead  of 
rules  composition  of  Simplex-logic  rules.  The  example  of  such  a  modification  is  given  on 
figure  6. 

This  transformation  procedure  is  straightforward  -  and  probably  automatizable,  once  the 
lemmas  have  been  proved.  As  a  matter  of  fact,  it  does  not  require  understanding  the  algorithm 
itself,  only  changing  its  return  statements. 


6  Properties  of  Solver2FOL 

6.1  Representation  power 

6.1.1  Introduction 

It  is  clear  that  any  set  of  inequalities  and  equalities  involving  only  integer  linear  relations  can  be 
represented  using  Solver2FOL.  It  is  also  clear  that  polynomial  constraints  can  be  represented 
using  Solver2FOL. 

A  valid  question  is  :  can  more  complex  conditions  be  represented  using  Solver2FOL  ? 

6.1.2  Expressing  complex  functions  through  brute  force 

A  function  such  as  n  i— >•  [2”]  cannot  be  represented  as  a  finite  expression  in  Solver2FOL’s 
expression  language  on  N. 

However,  for  any  value  of  N ,  as  figure  7  shows,  it  can  be  represented  as  one  disjunction  of 
0( 2N)  conjunctions  of  equalities  on  ]  —  2N,2N]  plus  one  inequality.  If  we  give  to  iV  a  good 
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Simplex-logic  style  :  P,  Q  are  proofs,  r  is 
the  number  of  current  row,  maxProof  is  an 
auxiliary  function,  geqct(c)  is  a  construct 
meaning  “c  is  non-negative” 

mkEqProof(X,Y)  = 

r  <—  r  +  1 

fill  row  r  with  coefficients  for  X  ©  Y 
(a,  Z,  P )  maxProof  (r) 

fill  row  r  with  coefficients  for  Y  ©  X 
(6,  T,  Q )  maxProof  (r) 

r  <—  r  —  1 

return  eqi  (  arith(a  ©  (A"  ©  Y),QZ),  P,  geqct(a), 
arith(b  ©  (Y  ©  X),  ©T),  Q,  geqct(b )  ) 
Solver2FOL  style  :  the  return  statement 
changes  and  becomes 

return  lemma  “equi”  [“a”  a,  “b”  b 

“X”  v-  X,  “Y”  v-  Y,  “Z”  <-  © 

“T”  T](P,Q) 

Figure  6:  Translation  from  Simplex-logic  style  to  Solver2FOL  (fragment) 


value,  say  the  size  in  bits  of  an  memory  word,  we  have,  as  far  as  the  computer  is  concerned, 
represented  our  function. 

As  a  matter  of  fact,  all  functions  can  be  represented  with  Solver2FOL  using  such  a  trick, 
provided  they  stay  into  the  integer  domain  of  the  computer.  However,  since  this  form  po¬ 
tentially  requires  as  many  disjunctions  as  there  are  integer  which  can  be  represented  by  the 


*  — ►  L  fix)  =  2*J 

or 

i= 2n 

\J  (x  Ri  i  A  f(x)  «  2l)  V  (x  -<  0  A  f(x)  «  0) 

i= 0 

Figure  7:  A  represented  non-representable  function. 
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machines,  or  as  there  are  memory  words  which  can  be  addressed  by  the  hardware,  this  simple 
remark  does  not  mean  much  about  the  expressiveness  of  the  language  :  such  representations 
are,  computationally  speaking,  infinite. 


6.1.3  Lessons  from  the  brute-force  approach 

The  brute  force  approach  teaches  us  that  the  real  limitation  of  the  expressiveness  using 
Solver2FOL  is  in  fact  a  size  limitation. 


6. 1.3.1  Disjunctive  Normal  Forms 

Property  1  Let  us  consider  t  :  k  i— >•  2k .  Let  [0,  B[  be  the  range  of  addressable  memory  in  a 
machine  M.  Let  S  be  the  memory  size  of  an  representation  of  t  in  Disjunctive  Normal  Form 
(DNF)  using  Solver2FOL  for  array  bounds  checking  elimination  or  dynamic  memory  protection 
elimination  on  M. 

S  >  B 

Corollary  :  As  such,  t  cannot  be  represented  in  DNF  using  Solver2FOL. 

Proof  of  property  1  Let  ]  —  R,  1?]  be  the  range  of  representable  integers  on  a  given  computer. 

The  simple  study  conducted  in  annex  B.l  proves  that  any  representation  of  function  t  in 
Disjunctive  Normal  Form  using  Solver2FOL  will  require  at  least  R/ 4  terms. 

If  we  assume  that  Solver2FOL  is  used  for  dynamic  array  bounds  checking  elimination  or 
for  dynamic  memory  checking  elimination,  we  need  the  range  of  computable  integers  to  be  able 
to  represent  the  whole  range  of  addressable  memory.  In  other  words,  R>  B . 

If  we  assume  that  each  term  will  require  at  least  eight  bytes  of  memory  allocation,  the  total 
amount  of  memory  required  for  representation  of  t  will  be  at  least  S  =  2  ■  R. 

Hence, 

S  >  B 

6. 1.3. 2  Recursivity  However,  as  shown  in  figure  8  a  logic  with  some  notion  of  recursive 
definition  would  allow  a  simple  definition  of  function  t  in  DNF.  Such  a  logic  would  allow  a 
more  complete  or/and  simpler  expression  language. 
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T(x,y)  =def 


iXOAj/kO 

V  i«OAt/sil 

V  T(x  ©  1,  z)  A  z  «  2/\2 


Figure  8:  A  possible  definition  of  t  :  n  i— >  2n 


6.1.4  Summary 

Solver2FOL’s  expression  language  is  powerful  enough  to  represent  linear  and  polynomial  ex¬ 
pressions.  Since  most  operations  which  require  integer  constraints  solving,  such  as  array  bounds 
checking  optimization  of  automatic  loops  parallelization,  most  often  imply  only  linear  con¬ 
straints,  seldom  polynomials,  and  almost  never  more  complicated  expressions,  this  language 
can  be  considered  complete  enough. 

However,  more  specialized  security  policies  might  require  even  more  expressive  languages. 
We  handle  this  issue  in  section  7.2. 

6.2  Expressiveness  of  proofs 

As  proved  in  section  5,  Solver2FOL  is  complete  with  respect  to  linear  integer  constraints. 
What  can  be  said  beyond  that  ? 

Well,  we  can  say  that  Solver2FOL  knows  no  such  thing  as  an  induction  proof.  This  means 
that  theorems  handling  generalized  sums,  such  as  lemma  7,  cannot  be  expressed  entirely  within 
Solver2FOL’s  logic.  They  must  rely  on  a  meta-logic  and,  for  each  given  sum  met  during  a  proof, 
they  must  be  instantiated  for  the  number  of  terms  in  the  sum. 

This  means  that  Solver2FOL  will  produce  numerous  large  proofs  where  there  could  have 
been  only  one  relatively  simple  proof  in  a  proof  library.  This  issue  is  also  handled  in  section 

7.2  . 

7  From  theory  to  implementation 

7.1  Integrating  Solver2FOL  in  a  real  system 

So  far,  Solver2FOL  has  not  been  introduced  as  a  part  of  a  real  system.  We  plan  to  incorporate 
this  work  into  the  FLINT  system  [15]  by  extending  the  typed  intermediate  language  with 
dependent  types.  In  the  following,  we  briefly  discuss  how  Solver2FOL  may  be  integrated  with 
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some  existing  dependently  typed  languages. 

Xi’s  dependent  type  system  [17],  which  has  been  used  for  array-bounds  checking  elimi¬ 
nation,  relies  on  an  external  constraints  solver,  symbolized  by  |=  in  Xi  [20].  In  practice,  for 
integers,  this  constraints  solver  is  some  (simplified)  variant  of  the  Omega  test. 

Since  we  are  replacing  the  Omega  test  by  Omega2FOL,  one  of  the  next  natural  steps  would 
be  to  insert  Omega2FOL  in  the  dependent  type  system.  However,  this  is  not  as  trivial  as  it 
sounds,  since  an  implicit  requirement  on  the  external  constraints  solver  seems  to  be  completion. 
A  lack  of  completion  resulting  in  an  incomplete  type-checker  and,  as  far  as  PCC  is  concerned, 
the  rejection  of  perfectly  sound  programs  for  arbitrary  reasons.  Of  course,  the  Omega  test  is 
not  complete  on  the  set  of  diophantine  equations.  No  algorithm  is. 

So,  how  do  we  introduce  Solver2FOL  in  here  ?  A  convenient  answer  would  be  that  if 
Solver2FOL  can  do  everything  the  Omega  test  can,  then  of  course  it  can  serve  as  the  external 
solver  in  a  dependent  type  system.  However,  this  is  not  true.  Since  the  external  solver 
is  supposed  complete,  neither  the  Omega  test  nor  Omega2FOL  nor  any  other  algorithm  is 
powerful  enough  as  to  serve  as  such  a  solver. 

Before  introducing  effectively  Omega2FOL  in  the  dependent  type  system,  we  will  have  to 
determine  exactly  what  set  of  constraints  can  be  solved  with  Omega2FOL  or,  for  that  matter, 
any  *2FOL  solver. 

Or  we  can  use  another  approach.  After  all,  the  whole  point  of  Solver2FOL  is  not  to  be 
locked  with  any  solver  algorithm,  even  if  it  is  a  *2FOL  solver.  Turning  the  dependent  type 
system  from  Omega  test-dependent  to  Omega2FOL-dependent  is  only  a  small  improvement. 

The  idea  would  be,  simply  put,  to  make  the  dependent  type  system  solver-independent. 
In  other  words,  replacing  \=  by  K  Replacing  “my  algorithm  can  prove  this”  by  “there  is 
an  algorithm  which  can  prove  this,  here  is  how”.  And  this  algorithm  may  be  Omega2FOL, 
Simplex2FOL,  *2FOL.  Or  Twelf  [12],  or  Coq  [4],  or  the  user  himself.  And  the  algorithm  does 
not  have  to  be  trusted. 

This  is  one  of  the  next  steps  in  the  evolution  of  Solver2FOL. 

7.2  Twelf 

We  have  begun  working  on  integration  using  the  Edinburgh  Logical  Framework  (LF)  [2] 
through  Twelf.  In  other  words,  we  are  trying  to  encode  the  whole  Solver2FOL  system  into 
LF  and  to  translate  proofs  into  the  Twelf  system.  This  task  has  been  undertaken  with  the 
support  of  Princeton’s  PCC  team,  using  PCC  team’s  meta-logic  for  Twelf. 

Using  some  meta-language  (such  as  LF)  and  some  concrete  implementation  of  it  (like  Twelf) 
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to  describe  Solver2FOL  allows  to  turn  Solver2FOL  into  a  really  trustable  and  extensible  part 
of  the  trusted  computing  base.  Extensions  to  Solver2FOL  are  new  definitions,  such  as  new 
operators,  and  new  hard-to-prove-but-fully-trusted  “axioms”.  For  example,  Fermat’s  theorem 
might  be  needed  some  day  or  maybe  some  specialized  theorems  related  to  bank  accounting. 

Additionally,  the  Twelf  meta-logic  we  are  using  allows  us  a  reasoning  of  somewhat  higher 
order.  Axioms  of  induction  on  N,  for  example,  let  us  overcome  the  size  problem  of  induction 
proofs  (cf.  section  6.2).  New  functions  can  be  defined  and  seamlessly  integrated,  which  is  a 
solution  to  the  potential  expressiveness  problem  presented  in  section  6.1.4. 


8  Future  work 

8.1  Implementation 

Our  implementation  of  Solver2FOL  in  Twelf  is  not  complete  yet,  since  the  PCC  team’s  libraries 
we  are  basing  our  work  on  are  still  in  early  development.  For  example,  since  the  libraries  do 
not  include  full  support  for  lists  yet,  and  since  E  sums  rely  on  lists,  we  have  had  to  pause 
development  to  contribute  to  this  non-trivial  part  of  the  libraries. 

8.2  Extensions  to  non-linear  constraints 

Recent  versions  of  the  Omega  test  and  of  other  tests  handle  some  limited  kinds  of  non-linear 
constraints,  using  several  techniques  such  as  polynomials  factoring  or  linear  approximation  on 
segments.  We  are  planning  to  prove  as  many  as  possible  of  these  extensions  using  Solver2FOL 
and  to  add  them  to  Omega2FOL. 

8.3  Exceptions  handling 

As  explained  earlier,  the  semantics  of  Solver2FOL  do  not  handle  integer  arithmetic  exceptions 
in  a  fully  satisfactory  way.  One  satisfactory  way  would  be  to  introduce  some  “non-bounded” 
integers,  using  either  either  unary  integers  or  some  fancy  Big  Integer  construct.  The  first 
possibility  would  be  simpler,  hence  easier  to  trust. 

Another  way  would  be  to  create  proof  templates  instead  of  proofs.  In  this  case,  the  tem¬ 
plates  would  be  instantiated  at  check-time  with  platform-dependent  information.  We  have  not 
pursued  this  trail  any  further  yet.  It  promises  to  be  very  complicated  as  well  as  very  rewarding. 
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9  Related  work 


The  idea  of  PCC  was  first  proposed  by  Necula  and  Lee  [10].  To  handle  integer  constraints, 
they  introduce  the  Simplex- Logic,  a  form  of  minimalistic  logic  tailored  for  proving  results 
obtained  by  the  Simplex  algorithm.  However,  since  this  logic  is  very  specific,  they  can  neither 
express  proofs  using  any  other  algorithm  or  extend  their  algorithm  to  more  generic  constraints. 
Xi  [20,  18],  on  the  other  hand,  proposes  a  dependent  type  system,  which  totally  abstracts  the 
the  solver  algorithm,  considering  it  as  a  prerequisite.  Several  other  works  require  integer 
constraints  solving  algorithms  in  PCC  and  would  benefit  from  a  generic  framework.  Among 
them,  TAL  [7],  Crary  and  Weirich  [5]’s  resource  bound  certifitation,  Wang  and  Appel  [16] ’s  safe 
garbage  collection  and  an  attempt  at  making  the  whole  PCC  system  more  generic  proposed 
by  Appel  and  Felty  [1]. 


10  Conclusion 

We  presented  a  feasibility  study  for  the  elaboration  of  an  algorithm  independent  framework 
for  verifying  and  proving  integer  constraints.  Our  framework,  Solver2FOL,  is  simple  and 
can  represent  all  commonly  used  integer  constraints.  Moreover,  although  its  proof  power  is 
necessarily  limited,  it  can  be  used  at  least  on  the  whole  range  of  linear  integer  constraints, 
which  are  by  far  the  most  common  constraints  encountered  at  compilation-time.  We  also 
presented  our  solution  for  overcoming  expressiveness  limitations  and  overgrown  proofs  size  for 
its  implementation  in  Twelf.  We  plan  to  implement  this  framework  into  the  FLINT  system  [15]. 


References 

[1]  A.  Appel  and  A.  Felty.  A  semantic  model  of  types  and  machine  instructions  for  proof-carrying 
code.  In  Proc.  27th  Annual  ACM  SIGPLAN-SIGACT  Symp.  on  Principles  of  Programming 
Languages ,  pages  243-253.  ACM  Press,  2000. 

[2]  A.  Avron,  F.  Honsell,  and  I.  Mason.  An  overview  of  the  edinburgh  logical  framework,  1989. 

[3]  W.  W.  Bledsoe.  The  Sup- Inf  method  in  praesburger  arithmetic.  Technical  report,  University  of 
Texas  Math  Dept.,  December  1974. 

[4]  C.  Cornes.  Compilation  du  filtrage  de  motifs  avec  types  dependants  dans  le  systeme  coq.  In 
Actes  des  Journees  du  GDR  Programmation  1996,  Orleans,  France,  Novembre  1996. 

[5]  K.  Crary  and  S.  Weirich.  Resource  bound  certification.  In  Proc.  27th  Annual  ACM  SIGPLAN- 
SIGACT  Symp.  on  Principles  of  Programming  Languages.  ACM  Press,  2000. 


30 


[6]  G.  B.  Dantzig  and  B.  C.  Eaves.  Fourier-Motzkin  elimination  and  its  dual.  J.  Combin.  Theo.  A, 
14:288-297,  1973. 

[7]  G.  Morrisett,  D.  Walker,  K.  Crary,  and  N.  Glew.  From  system  F  to  typed  assembly  language.  In 
Proc.  25rd  Annual  ACM  SIGPLAN-SIGACT  Symp.  on  Principles  of  Programming  Languages, 
pages  85-97.  ACM  Press,  1998. 

[8]  G.  Necula.  Proof-carrying  code.  In  Twenty-Fourth  Annual  ACM  Symp.  on  Principles  of  Prog. 
Languages,  pages  106-119,  New  York,  Jan  1997.  ACM  Press. 

[9]  G.  Necula  and  P.  Lee.  Safe,  untrusted  agents  using  proof-carrying  code.  In  Special  Issue  on 
Mobile  Agent  Security:  LNCS  Vol  1419.  Springer-Verlag,  October  1997. 

[10]  G.  C.  Necula.  Compiling  with  Proofs.  PhD  thesis,  School  of  Computer  Science,  Carnegie  Mellon 
University,  Pittsburgh,  PA,  Sept.  1998. 

[11]  G.  Nelson.  Techniques  for  program  verification.  Technical  Report  CSL-81-10,  Xerox  Palo  Alto 
Research  Center,  1981. 

[12]  F.  Pfenning  and  C.  Schiirmann.  System  description:  Twelf  —  a  nreta-logical  framework  for 
deductive  systems.  In  H.  Ganzinger,  editor,  Proceedings  of  the  16th  International  Conference 
on  Automated  Deduction  (CADE-16),  pages  202-206,  Trento,  Italy,  July  1999.  Springer-Verlag 
LNAI  1632. 

[13]  W.  Pugh.  A  practical  algorithm  for  exact  array  dependence  analysis.  Commun.  ACM,  35(8):102- 
115,  August  1992. 

[14]  W.  Pugh  and  D.  Wonnacott.  An  exact  method  for  analysis  of  value-based  array  data  depen¬ 
dences.  In  Proceedings  of  the  Sixth  Annual  Workshop  on  rogramming  Languages  and  Compilers 
for  Parallel  Computing,  Dec  93. 

[15]  Z.  Shao.  An  overview  of  the  FLINT/ML  compiler.  In  Proc.  1997  ACM  SIGPLAN  Workshop  on 
Types  in  Compilation.  Published  as  Boston  College  Computer  Science  Dept.  Technical  Report 
BCCS-97-03,  June  1997. 

[16]  D.  Wang  and  A.  Appel.  Safe  garbage  collection  =  regions  +  intentional  type  analysis.  Technical 
report,  Dept,  of  Computer  Science,  Princeton  University,  July  1999. 

[17]  H.  Xi.  Dependent  Types  in  Practical  Programming.  PhD  thesis,  School  of  Computer  Science, 
Carnegie  Mellon  University,  Pittsburgh,  PA,  Sept.  1998. 

[18]  H.  Xi  and  R.  Harper.  A  dependently  typed  assembly  language.  Technical  Report  CMU-CS-99- 
xxx,  School  of  Computer  Science,  Carnegie  Mellon  University,  Pittsburgh,  PA,  July  1999. 

[19]  H.  Xi  and  F.  Pfenning.  Eliminating  array  bound  checking  through  dependent  types.  In  Proc. 
ACM  SIGPLAN  ’98  Conf.  on  Prog.  Lang.  Design  and  Implementation,  pages  249-257,  New 
York,  1998.  ACM  Press. 


31 


[20]  H.  Xi  and  F.  Pfenning.  Dependent  types  in  practical  programming.  In  Proceedings  of  ACM 
SIGPLAN  Symposium  on  Principles  of  Programming  Languages ,  pages  214-227,  San  Antonio, 
January  1999. 


A  Proofs  using  Solver2FOL 

A.l  Foreword 

This  appendix  contains  purely  formal  proofs  built  using  Solver2FOL. 

A. 2  Syntactical  conventions 

•  A  name  or  a  number  alone  in  a  formal  proof  is  a  reference  to  the  corresponding  lemma, 
theorem,  axiom,  definition.  Only  sublemmas  are  referred  to  by  their  number.  Other 
lemmas,  theorems,  axioms,  definitions  are  referred  to  by  their  name. 

Using  somclcmma 

•  Notation  H  b  ■  is  a  shortcut  for  the  utilization  of  the  modus  ponens  on  an 

instantiation  of  lemma  (or  theorem,  or  axiom,  ...)  sommelemma. 

•  TLfzffXi  is  a  shortcut  for  (((Ad  ©  A"2)©)  •  •  •  Xn ) 

•  Ejg/Xj  is  a  shortcut  for  some  left-parenthesized  sum  (using  ©)  of  all  terms  of  (A f)i£j  1 

A. 3  Basic  theorems 

Proof  of  basic  theorem  1  Let  H  =def  0<eAe<&Aa~5<g)c©e  and  K  =def  0  <  d  A  d  < 
b  A  a  —  b  ■  c+  d. 

Sub  lemma  1  b  6©c©e~6-c©e 

Proof  of  sub  lemma  1 

Using  “mult  on  Z”  Using  “add  eq” 
b  6  ©  c  ~  6  •  c  b  ■ 

b  5®c©e«6-c©e 

lrThe  left-parenthesized  convention  has  been  adopted  for  the  sake  of  simplicity  of  proofs.  However,  there  is 
no  obligation  of  expressing  sums  like  this. 
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Sub  lemma  2  H  b  a  ~  b  ■  c©  e 
Proof  of  sub  lemma  2 

Using  1 

H  \-  a  zs  b  ®  c®  e  b  b  ®  c®  e  ss  b  •  c®  e  Using  “eg  trans” 

H  U  a  mb®c®eAb®c®ePsb-c®e _ H  \-  U 

H b  a  « b ■  c®  e 

lemma  3  H\~a  =  b-  c  +  e 

Proof  of  sub  lemma  3 

Using  2  Using  “add  on  Z  ” 

ha~i)'C9e  i/bfc-c®e~fe-c  +  e  Using  “eg  trans” 

H  ba^6-c®eAb-c®e~6-c  +  e _ H  b  ■  Using  “eg  on  Z” 

HUa~b-c-\-e  HUM 

H  \~  a  —  b  ■  c  +  e 

Sub  lemma  4  a\b  ~  c  b  |_|J  =  c 

Proof  of  sub  lemma  4 

Using  3 

H  b  0  <  e  i/  b  e  <  6  ffho  =  6-  c  +  e 
^hO<eAe<&Aa  =  6-  c  +  e 

3e,0<eAe<iAa«i®c©eh3e,0<eAe<l)Aa  =  &'C  +  e 

a\6  ~  c  b  |_|J  =  c 

lemma  5  b  b-c  +  d~b®c®d 

Proof  of  sub  lemma  5 

Using  1  Using  “add  in  Z” 

b&(g)c®(j^6-c®(j  b  b-c®d^eb-c  +  d 
Ub®c®d^b-c®dAb-c®dpeb-c  +  d  Using  “eg  ref’' 

b  b®  c®  d  m  b  ■  c  +  d _ b  M 

b  b-c  +  dmb®c®d, 

Sub  lemma  6  K  b  a  ~  b  ®  c®  d 
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Proof  of  sub  lemma  6 

K  b  a  =  b-  c  +  d _ Using  5 _ 

K  \-  a  tab  ■  c  +  d  K  \- b  ■  c  +  d  &  b<8>  c®  d  Using  “eg  trans” 

K  \-gmb-c  +  dAb-c  +  dmb®c®d _ K  b  M 

K  \-  a  zsb®  c®  d 

Sub  lemma  7  [| J  =  c  b  a\b  ~  c 

Proof  of  sub  lemma  7 

Using  6 

K  b  0  <  d  K  b  d  <b  K  \~  a  psb®  c®  d 
K\-0<dAd,<bAa~b®c®d 
3d,  0<dAd<bAa  —  b  ■  c  +  d\~  3d,  0<dAd<bAa~b®c®d, 

LfJ  =  c  b  a\b  ~  c 

Hence, 


Using  7  Using  4 


-  1 
■  &J 

=  c  b  a\6  ~  c  a\6  ~  c  b  Lf 

J  =  c 

h  Lf. 

J  =  c  =>■  a\6  w  c  b  a\6  «  c  =>  L 

'il=c 

b 

a\6  LfJ  =  c  A  LfJ  =  c  =>  a 

\b  Ri  c 

b  a\6  ~  c  •<=>■  LfJ  —  c 


Proof  of  basic  theorem  2  Let  H  =def  0  <  eAe  <  &  Aa  ~  6®c®  e  and  K  =def  0  <  e  A  e  < 
b  A  a  =  b  ■  c  +  e. 

Sub  lemma  8  a%b  ~  e  h  a  mod  b  =  e 
Proof  of  sub  lemma  8 

Using  3 

H  b  0  <  e  H  b  e  <  b  H  b  a  =  b  ■  c  +  e 
i7bO<eAe<&Aa  =  &-  c  +  e 

3c,  0  <  e  A  e  <  b  A  a  r*  b  ®  c  ©  e  b  3d,  0  <  e  A  e  <  b  A  a  =  b  ■  d  +  e 

a%b  ~eh  a  mod  b  =  e 

Sub  lemma  9  a  mod  b  —  e  b  a%b  ~  e 
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Proof  of  sub  lemma  9 


Using  6 

AT  0  <  e  K  h  e  <  b  K  h  a  «  6  (8)  d  ©  e 
ATO<eAe<ftAa»&®d©e 
3c,0<eAe<6Aa  =  6-  d  +  el-3c,0<eAe<6Aafti6®c®e 
a  mod  b  =  e  h  a%b  ~  e 


Hence, 


a%b  pc 
h  a%b 
h  a%6  ~ 


Using  8  Using  9 

eh  a  mod  b  =  e  a  mod  b  =  eh  a%b  ~  e 

e  =>•  a  /nod  b  =  e  h  a  mod  b  =  e  =»  a%b  ~ 

e  =r>  a  mod  b  =  e  A  a  mod  6  =  e  =>•  a%b  ~ 

h  a%b  ~  e  -<=>-  a  mod  6  =  e 


_e 

e 


Proof  of  basic  theorem  3 

Using  “m.od  on  Z” 
h  a%b  ~  0  •<=>•  a  mod  6  =  0 
h  a  ||  6  a|6 

Proof  of  basic  theorem  4  H  =def  0<cAa~6®c  and  Jl  =de/  0<dAa=A©d 


5ii6  lemma  10  a  A  b  h  a  >  b 


Proof  of  sub  lemma  1 0 

Using  “add  in  Z” 

H  h  b  0  c  g*  b  +  c 

idhafti6©cA6©cai6Tc  Using  “eg  in  Z  ” 

JfhflRii  +  c _ H  h  ■ 

id  h  0  <  c  H  h  a  —  b  +  c 

H  h  0  <  c  Aa  —  b  +  c 

3c,  0<cAa~5©cb  3d,  0  <  d  A  a  =  b  +  d 
a  A  b  h  a  >  b 


Sub  lemma  11  a  >  b  h  a  A  b 

Proof  of  sub  lemma  1 1 

K  h  a  =  b  +  d  Using  “add  in  Z” 

K  h  a  &  b  +  d  Khb  +  dzid  Using  “eg  trans” 

Khazab  +  dAb  +  dzid _ K  h  M 

K  h  0  <  d  K  h  a  ~  b  ©  d 

A'h0<dAa~6©d 
3d,  0<dAa  =  6©dh3c,  0<cAa~6ffic 
a  >  b  h  a  A  b 
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Hence . 


Using  10  Using  11 

a  Y  b  b  a  >  b  a  >  b  b  a  Y  b 
b  a  Y  b  ^  a  >  b  b  a  >  b  a  Y  b 
\raYb=>a>bAa>b^-aYb 
b  a  Y  b  a  >  b 


A. 3. 0.1  Opposite  addition 

Proof  of  main  lemma  1 

Using  “eq  mult”  Using  “0  mult”  Using  “eq  trans” 
bbeb~0®  Y  b  0  (8)  Y  «  0  FS 

b  Y  ©  Y  «  0 


A. 3. 0.2  “Distribution”  of  addition  on  equality  2 


Proof  of  main  lemma  2  Sub  lemma  12  X  «  Y  b  A  ©  Z  ~  Z  ©  Y 


Proof  of  sub  lemma  1 2 

Using  “add  eq”  Using  “add  comm” 

X  «  Y  b  A"  ©  Z  ps  Y  ©  Z  b  Z  ®Y  k,Y  ®  Z  Using  “eq  trans” 
XttY\-X®Z^Y®ZAZ®  Y  «  Y  ©  Z  b  ■ 

x  «  y  b  a  ®  z  «  z  ©  y 


Hence, 


Using  12  Using  “add  comm” 
b  Z©XftiX©Z  b  Z  ®  X  «  I  ©  Z  Using  “eq  trans” 
X  fxbbX®ZftiZ®FAZ®  A  %X©Z  b  ■ 

a  «  y  b  z  ©  a  «  z  ffi  y 


A. 3. 0.3  “Distribution”  of  multiplication  on  equality  2 


Proof  of  main  lemma  3  Sub  lemma  13  Xk,Y\~X®Zk,Z®  Y 


Proof  of  sub  lemma  1 3 

Using  “mult  eq”  Using  “mult  comm” 

X  psY  b  A  <g)  Z  zsY  ®  Z  \~  Z  ®Y  psY  ®  Z  Using  “eq  trans” 

x«ybA®z«y®ZAZ®  y  «  y  <g>  z  Fi 
a  «  y  b  a  <8)  z  «  z  ®  y 
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Hence . 


Using  13  Using  “mult  comm ” 
b  Z  ®  X  &  X  ®  Z  b  Z  ®  X  &  X  ®  Z  Using  “eg  trans” 
X  ^Y\-X®ZttZ®YAZ®XttX®Z  b  ■ 

x  ^yu  z®x^  z®  i'' 


Proof  of  basic  theorem  5  Reflexivity  : 

Using  “0  add ”  Using  “eg  ref” 
bi©o«i  Fi 
b o  <  o  bixieo 

b  0  <  0  A  X  m  X  ®  0 
b  3i,  0  <  i  A  X  m  X  (Bi 
bA>I 

Antisymmetry  :  let  H  =def  0  <  a  A  0  <  b  A  X  &  Y'  ®  a  AY  k  X©6 


Sub  lemma  If  H  b  Y  ©  a  ~  X 


Proof  of  sub  lemma  If 

Using  “add  trans ” 

HUY  ©  a  ~  a  ©  X  H  b  a  ©  Y  «  X  Using  “eg  trans” 
HUY®a^a®YAa®Y^X  HUM 

H bb ©  a  «  X 


Sub  lemma  15  i7bX©6©a~X©a 


Proof  of  sub  lemma  1 5 


Using  “eg  ref” 

HUY  «  X  ©  b  IIUM  Using  “add  eg” 

HU  X@b&  Y _ HUm 

H  U  X  ©6©  a^Y  ©  a 

Sub  lemma  16  H  U  X  ©6  ©  a  ft*  X 


Proof  of  sub  lemma  1 6 

Using  15  Using  If 

HU  X  ®b<Ba^Y  ©~a  H  UY  &  X  Using  “eg  trans” 
HUX®b®a^Y®aAY®a^X  HUM 

HU  X  ©  6  ®  a  fa  X 
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Sub  lemma  17  HU  X  ©  (5  ©  a)  ~  X 


Proof  of  sub  lemma  1 7 

Using  16  Using  “add  assoc” 

HUX(Bb(Ba~X  H  U  A"  ©  (b  ©  a)  ~  X  ©  b  ©  a  Using  “eg  trans” 
tfbX©&ffia«XAX©(&ffia)«X©6©a  H  b  ■  ’ 

H  U  X  ©  (b  ©  a)  w  X 

Sub  lemma  18  HU  (b@  a)  @XfsX 


Proof  of  sub  lemma  1 8 

Using  17  Using  “add  comm” 

i/bX©(&©a)«X  H  U  (b®a)  ©  X  «  X  ©  (6  ©  a)  Using  “eg  trans” 
H  U  X  ©  (b  ©  a)  «  X  A  (6  ©  a)  ©  X  «  X  ©  (6  ©  a)  FFS 

H  U  (6  ©  a)  ©  X  «  X 

S'-itb  lemma  19  H  b  (6  +  a)  ©  X  «  (a  ©  6)  ©  X 


Proof  of  sub  lemma  1 9 

Using  “add  on  Z”  Using  “add  eg” 
H  \-  (b  +  a)  &  (b  (B  a)  FS 
H  I-  (b  -\-  g)  ©  X  ~  (b  ©  Q-)  ©  X 

5-ub  lemma  20  HU  (b  + a)  (BXQXmXQX 


Proof  of  sub  lemma  20 

Using  18  Using  19 

HU  (6  ©  a)  ©  X  «  X  H  U  (b  +  a)  ©  X  «  (6  ©  a)  ©  X  Using  “eg  trans” 

H  U  (b  ©  a)  ©  X  «  X  A  (b  +  a)  ©  X  «  (6  ©  a)  ©  X  HUM  Using  “add  eg” 

HU  (b  +  a)  ©  X  «  X  //  b  ■ 

ffh(i|a)®X©X«  X  ©  X 

Sub  lemma  21  U  {b  +  a)  ©  (X  ©  A")  «  (6  +  a)  ©  0 


Proof  of  sub  lemma  21 

Using  “opp  add”  Using  “add  eg  2” 
U  (X  ©  X)  «  0  Fi 

b  (6  +  a)  ©  (X  ©  A")  «  (6  +  a)  ©  0 
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Sub  lemma  22  H  b  (b  +  a)  fa  (b  +  a)  ©  (. X  ©  A") 

Proof  of  sub  lemma  22 

Using  21  Using  “0  add” 

h  (6  +  a)  0  (. X  ©  A")  ~  (6  +  a)  ©  0  h(6  +  a)©0~6  +  a  Using  “eq  trans” 

\-  [b  +  a)  ©  (X  ©  X)  «  (b  +  a)  ©  0  A  {b  +  a)  ©  0  «  b  +  a  FB  Using  “eq  ref” 

h  (6  +  a)  ©  (X  ©  X)  «  (6  +  a)  FB 

h  (6  +  a)  F  (b  +  a)  ©  (X  ©  X) 

Sub  lemma  23  H  b  (b  +  a)  ~  (6  +  a)  ©  X  ©  A" 

Proof  of  sub  lemma  23 

Using  22  Using  “add  assoc” 

HU(b  +  a)^(b  +  a)®{Xe  X )  H  h  (6  +  a)  ©  (X  ©  X)  F  ((6  +  a)  ©  X)  ©  A 
H  h  (6  +  a)  «  (6  +  a)  ©  (X  ©  X)  A  (b  +  a)  ©  (X  ©  X)  «  ((6  +  a)  ©  X)  ©  X 

H  b  (6  +  a)  «  ((&  +  a)  ©  X)  ©  X 

Sub  lemma  2f  Hha  +  b^sXQX 

Proof  of  sub  lemma  2f 

Using  20  Using  23 

ffh(6  +  fl)®X©X«  X  ©  X  H  b  (b  +  a)  «  (b  +  a)  ©  X  ©  X 
tfb(&  +  a)©X©X«Xe  X  A  (6  +  a)  «  (6  +  a)  ©  X  ©  X 
Hha  +  b^XQX 

Sub  lemma  25  ffha~0 

Proof  of  sub  lemma  25 

Using  24  Using  “opp  add” 

H\-a  +  btnXeX  H  h  X  ©  X  F  0 
Hha  +  b^X  QX  A  X  ©  X  re  0 
H  h  a  +  6  ~  0 

H  b  a  +  6  =  0  Using  “eq  on  Z” 

_ H  h  a  =  0 _ H  h  ■ 

H  h  a  re  0 

lemma  26  i/ha©y~7©0 
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Proof  of  sub  lemma  26 

Using  25  Using  “add  eq” 

H  U  a  ~  0  HUM  Using  “add  comm” 

H  U  a  ®  Y  ss  0  ®  Y  U  0  ®  Y  ss  Y  ®  0  Using  “eq  trans” 

H  h  a  ®  Y  «  0  ®  Y  A  0  ®  Y  »  Y  ®  0 _ HUM 

H  U  a  ©  Y  «  Y  ©  0 


Sub  lemma  27  H  U  X  «  Y  ©  0 


Proof  of  sub  lemma  27 


Using  “add  comm”  Using  26 

H  UY  ®gps  a®Y  H  U  a  ®  Y  &  Y  ®  0  Using  “eq  trans” 
H  U  Y  ©  a  «  a  ©  Y  A  a  ©  Y  «  Y  ©  0  HUM 

HU  X^Y® a  _ HUY@a*iY®0 

HUX^Y®aAY®a^Y®0 

hu x « y © o 


Using  “eq  trans” 
H  U  M 


Hence, 

Using  27  Using  “0  add” 

H  U  X  «  y  ®  0  h  y  ©  0  «  y  Using  “eq  trans” 

h  u  x  sa  y  0  o  a  y  ©  o  »  y  gn _ 

3a,  0  <  a  A  X  «  y  ©  a  A  36,  0  <  b  A  y  «  X  ©  b  U  X  «  y 

h  y  a  yT:  x  =*►  x  «  y 

Transitivity  :  let  H  =def  0  <  a  AO  <  b  A  X  zs  Y  ®  a  AY  m  Z  ®b 
Sub  lemma  28  HUY ®a~Z®b®a 


Proof  of  sub  lemma  28 


Using  “add  eq” 
H  U  Y  zs  Z  ®b  HUM 
HU Y®a^Z®b®a 

Sub  lemma  29  HUX^Z®b®a 


Proof  of  sub  lemma  29 


Using  28 

II  U  X  ^  Y  0  aH  UY  ®  a  &  Z  ®b®  a  Using  “eq  trans” 

H  UX^Y®a  AY  ®a^Z®b®a _ HUM 

HU  X « Z ®b® a 


40 


Sub  lemma  30  hZ®5®fl«Z®(a  +  6) 


Proof  of  sub  lemma  30 


Using  “eq  trans” 

b  ■ 

b  Z®a®b^Z®(a  +  b) 

Sub  lemma  31  H\~XfaZ®(a  +  b) 


Using  “add  in  Z”  Using  “eq/add  dist2” 
Using  “add  assoc  ”  b  (a  ©  b)  ~  (a  +  b)  b  ■ 

b  Z®a®b^Z®(a®b)  b  Z  ®  (a®  b)  ^  Z  ®  (a +  b) 

b  Z  ®a®b  ^  Z  ®  (a  ®  b)  A  Z  ®  (a  ®b)^  Z  ®  (a  +  b) 


Proof  of  sub  lemma  31 

Using  29  Using  30 

H  b  X  «  Z  ©  a®  b  i/bZ©a©6~Z©(a  +  &)  Using  “eq  trans ” 
H\~X^Z®a®bAZ®a®b^Z®(a  +  b)  H  b  ■ 

H  b  X  «  Z  ©  (a  +  b) 


Hence, 


Using  31 

H  b  0  <  (a  +  b)H  b  X  «  Z  ©  (a  +  6) 
H  b  0  <  (a  +  6)  A  X  rs  Z  ©  (a  +  6) 


H  b  3c,  0  <  c  A  X  «  Z  ©  c 
X  ©  y  AV>ZbA>Z 


Proof  of  basic 

Proof  of  basic 

Proof  of  basic 

Proof  of  basic 

Proof  of  basic 


theorem 

theorem 

theorem 

theorem 

theorem 


6 

7 

8 

9 

10 


The  proof  is  very  similar  to  that 
The  proof  is  very  similar  to  that 
The  proof  is  very  similar  to  that 
The  proof  is  very  similar  to  that 


of  theorem  4 
of  theorem  4 
of  theorem  4 
of  theorem  5 


Sub  lemma  32  X  -<  Y  b  Y  b-  X 


Proof  of  sub  lemma  32 

3a,  0  <  a  A  Y  ps  X  ©  a  b  3b,  0  <  b  A  Y  ps  X  ©  b 
X  ©  Y  b  Y  y  X 
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Sub  lemma  33  X  -<  Y  b  Y  >-  X 


Proof  of  sub  lemma  33 

3a,  0  <  a  A  X  «  Y  ©  a  b  3b,  0  <  b  A  X  m  Y  ©  b 
x  y  Y  b  Y  A  X 


Hence, 

Using  32  Using  33 

X  Y  Y  b  Y  y  X  X  y  Y  b  Y  Y  X 
b  X  Y  Y  =>  Y  y  X  b  X  y  Y  =>  Y  Y  x 
b  X  Y  Y  =>  Y  y  X  A  X  y  Y  =>•  Y  Y  x 
b  x  y  y  <=>  y  y  x 


Proof  of  basic  theorem  11  The  proof  is  very  similar  to  that  of  theorem  10 

Proof  of  basic  theorem  12  (Note  :  This  theorem/lemma  is  not  “ static cf.  6.2  page  27) 

Let  H  =def  0  <  a  A  Y  ps  X  ©  a,  K  =def  x  ~  and  L  =def  0  <  a  A  Y  ps  X  ©  a  A  ->(Y  ps  A) 

Sub  lemma  34  Ibis;  Y 

Proof  of  sub  lemma  34 

Using  “eq  ref” 

L  b  Y  «  X  ®  0  IF i  Using  “0  add ” 

Lbieo^y _ bi^ieo 

L  b  X  ©  0  «  Y  A  X  «  X  ©  0 
Lbi^y 


Sbifo  lemma  35  L  b  0  <  a 


Proof  of  sub  lemma  35 

Using  34 

L,  0  =  a  b  -.(*  «  y)L,  0  =  a  b  X  «  1" 
L,  0  =  a  b  X  «  1"  A  -.(X  «  Y) 

L  b  0  <  a  h,  0  =  a  b_L 

L  b  0  <  a  L  b  0  ^  a 

LbO<aAO/a 
L  b  0  <  a 
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Sub  lemma  36  X  Si  Y  U  X  A  Y  Vl~  Y 

Proof  of  sub  lemma  36 

Using  35 

LUO<aLUY  ~  X  ©  a 
L  U  0  <  a  A  Y  ~  X  ®  a 
L  U  3b,  0  <  b  A  Y  «  A"  ©  b 
X  A  Y  A  -.(X  «  Y)  U  X  A  Y 
X  A  Y  U  X  A  Y  V  X  «  y 

lemma  37  K  h  X  ^  F 


Proof  of  sub  lemma  37 

Using  “0  add”  Using  “eg  ref” 

hx«x©o  Fi 

K  U  X  ©  0  «  X  K  U  X  «  y  Using  “eg  trans  ” 

K  b  X  ©  0  «  X  A  X  «  y  X  b  ■  Using  “eg  ref” 

K  b  X  ©  0  «  Y  K  b  ■ 

KUO  <0  K b  y  « X  ©  0 

XbO<OAFXX0O 
K  b  3c,  0  <  c  A  I'-  ~  X  ©  i 
K  b  X  A  y 


lemma  38  X  ©  y  V  X  «  X  b  X  A  Y 


Proof  of  sub  lemma  38 

H  UP  <  a  HUY ^  X  ©  a 
H b  0  < a  AY  «  X  ©  a 
3a,  H,  0  <  b  A  Y  «  X  ©  6  Using  37 

x  a  y  b  y  a  x  k  u  x  a  y 
x  a  y  v  k  b  x  a  y 


Hence, 

Using  36  Using  38 

x  a  y  b  x  a  y  v  x  «  y  x  a  y  v  x  «  y  b  x  a  y 
b  x  a  y  =>  (x  a  y  v  x  «  y)  b  (x  a  y  v  x  «  y)  x  a  y 
b  (x  a  y  =►  (x  a  y  v  x  «  y))  a  ((x  a  y  v  x  «  y)  =*►  x  a  y) 
b x  a  y  <*=*►  (x  a  y  vx«  y) 
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Proof  of  basic  theorem  13  The  proof  is  very  similar  to  that  of  theorem  12. 


Proof  of  basic  theorem  14  Let  H  =def  X  <Y  A  X  y  Y 

Using  “leq  equiv  geq ” 

H  U  X  A  Y  H  U  Y  A  X  Using  “It  antis” 
HU  X  dUY  A  Y  A  X  HUM 

X  Y  Y  A  X  h  Y  U  X  «  Y 

Proof  of  basic  theorem  15  Let  H  =def  X  -<  Y  A  X  >-  Y 

Using  “It  as  leq”  Using  “gt  as  geq” 

HU  X  A Y  HU Xh Y 

HU  X  A  Y  A  X  h  Y  Using  34 

HU  X  «  Y  H  U  -.(X  «  Y) 

H  U  X  «  Y  A  -.(X  «  y) 
x  -<  y  a  x  a  y  h± 


A. 3. 0.4  Additive  equality 


Proof  of  main  lemma  4  Let  H  =def  X  «  Y  A  Z  «  T 


lemma  39  H  U  X  ®  Z  k,  X  ®T 


Proof  of  sub  lemma  39 


Using  “add  eq2” 
H  U  Z  HUM 

H  U  X  ©  Z  «  X  ®  T 


Sub  lemma  fO  H  U  X  ®T  «  X  ©  T 


Proof  of  sub  lemma  fO 


Using  “add  eq” 
H  UX&Y  HUM 
H  U  X  ©  T  «  Y  ©  T 


Hence, 

Using  39  Using  39 

H  U  X  ©  Z  «  X  ©  T  #bA"©T^Y'©T  Using  “eq  trans” 
H U  X ® Z  ^ X ®T  AX ®T ^Y ®T  HUM 

XttYAZttTUX®Z^Y®T 
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A. 3. 0.5  Substraction  in  equality 


Proof  of  main  lemma  5  Let  H  =def  X  ©  Y  ~  Z  and  K  =def  Z  ~  X  ©  Y 
Sub  lemma  41  bA©(y©y)a;A©0 


Proof  of  sub  lemma  4 1 

Using  “equ  ref”  Using  “opp  add” 

b  X  ps  X  b  Y  ©  y  ftj  0  Using  “add  equ” 

b  x  F  x  a  y  ©  y  F  0  ~  b  ■ 
b  x  ©  (y  ©  y) «  a  ©  o 

Sub  lemma  4%  b  X  ©  {Y  ©  y)  «  A 


Proof  of  sub  lemma  4% 

Using  41  Using  “0  add”  Using  trans” 

x  ©  (y  ©  y)  «  x  ©  o  x  ©  o «  x  Fi 
b  x  ©  (y  ©  y) F  x 

Sub  lemma  43  b  (A"  ©  Y)  ©  Y  ~  X 


Proof  of  sub  lemma  43 

Using  “add  assoc”  Using  43  Using  trans” 

b  a  ©  (y  ©  y) »  (a  ©  y)  ©  y  b  a  ©  (y  ©  y)  «  a  Fi 

b  (a  ©  y)  ©  y  F  a 

Sub  lemma  44  H  b  (A"  ©  Y)  ©  Y  ~  Z  ©  Y 


Proof  of  sub  lemma  44 


Using  “ equ  ref” 

H  b  A  ©  y  w  ZH  b  ©y  sa  ©y  _ Using  “add  equ” _ 

h  b  (a  ©  y)  «  z  a  ©y  »  ©y  h,  (a  ©  y)  «  z  a  ©y  w  ©y  b  ■ 
h  b  (a  ©  y)  ©  y  »  z  ©  y 
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Hence . 


Using  43  Using  44 

H  b  (A"  ©  F)  ©  F  ~  X  H  b  (A"  ©F)  ©Y  ~  Z©F  Using  “equ  trans 
H  b  (A  ©  F)  ©  F  «  A  A  (A  ©  F)  ©  F  «  Z  ©  Y  H  b  ■ 

a  ©  f  «  z  b  x  «  z  ©  f 


Using  “equ  ref” 

K\-  Zm  X  ©  F  A  b  ■  Using  “sub  equl” 

K  b  A  ©  F  «  Z  K  b  ■  t/sing  “eg«  re/” 

A'bZsiZey  a  b  ■ 

z  «  a  ©  y  b  z  ©  y  «  z 


A. 3. 0.6  Substraction  in  inequality 

Proof  of  main  lemma  6  Let  H  =def  X  ©  Y  A  Z  in 

Sub  lemma  45  b  A  ©  0  A  A  ©  F  ©  F 


Proof  of  sub  lemma  45 


Using  “opp  add”  Using  “leq  equiv 
b  0  «  F  ©  F  Ffi 

Using  “A  ref”  b  0  A  F  ©  F  A  F  ©  F  A  0 
b  A  A  A  b  0  A  F  ©  F  Using  “A  add” 

b  A  A  A  A  0  A  F  ©  F  b  ■ 

b  A  ©  0  A  A  ©  F  ©  F 


Sbib  lemma  46  AbA©F©FAZ©F 


Proof  of  sub  lemma  4  6 


“  Using  A  re/' 

A  b  A  ©  F  A  Z  ©F  A  ©F  Psm</  “A  add” 
H  b  A  ©  F  A  Z  A  ©F  A  ©F  H  b  ■ 

H  b  A  ©  F  ©  F  A  Z  ©  F 


Sbtb  lemma  45  AbA©0AZ©F 
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Proof  of  sub  lemma  4  7 

Using  46  Using  45 

H  b  X  ®  y  QY  A  Z  ©  Y  H  U  X  ®  0  A  X  ®  Y  ©  Y  Using  “A  trans” 
HU  XQY  QY  A  0  ©  1"  A  X  ©  0  A  X  ®Y  QY  HUM 

hu a  ©  o  a  z  ©  y 


Hence, 


Using  47 

H  U  X  ©  0  A  Z  Q  Y  Using  “A  trans” 

H U X  ©  0  A  Z ©  Y A  X  ©  0  A  X  HUM 
X ®Y  Y  Z  U  X  Y  Z  Q Y 


A. 3. 0.7  Propagation  of  multiplication  in  sum 

Proof  of  main  lemma  7  By  induction  on  \I\. 

Let  Tik  be  the  hypothesis  “If  |/|  A  k  then  Up®  YiejXi  m  Eie/p  ®  Xt  ” 

H.2  ?  Sub  lemma  48  U  (X  ©  Y)  ®  p  «  X  ®  p@Y  ®  p 

Proof  of  sub  lemma  48 

Using  “mult  comm”  Using  “mult  comm” 

U  X  ®  p  ps  p®  X  U  Y  ®  p  as  p  ®Y  Using  “equ  add” 
UX®ppsp®XAY®p&p®Y  U  M 

U  X  ®  p  ©  Y  ®  p  ph  p  ®  X  ©  p  ®  Y 

Sub  lemma  49  U(X®Y)®p£sp®X®p®  Y 

Proof  of  sub  lemma  49 

Using  48  Using  “eq  mult” 

U  (X  ®Y)  ®  p  xs  X  ®  p  ®Y  ®  p  U  (. X  ®Y)  ®p  zs  X  ®  p®Y  ®  p  Using  “equ  trans ” 
U  (X  ®Y)  ®p  k,  X  ®p@Y  ®p  AX  ®p®Y  ®p  m  p®  X  ®p®Y  U  M 

u  (x ©  y)  ®p ps p® x ®p®Y 

Sub  lemma  50  p  ®  {X  ©  y)  ~  p®  X  ©  p  ®  Y 

Proof  of  sub  lemma  50 

Using  “mult  comm” 

U  (X  ®Y)  ®  p  ^  p  ®  X  ®  p  ®  Y  Up®  (X  ©  Y)  «  (X  ®Y)®p  Using  “equ  trans” 

U  (X  ©  Y)  ®  p  «  p  ®  X  ©  p  ®  Y  A  p  ®  {X  ©  Y)  «  (X  ©  Y)  ®  p  UM 

Up®  ( X  ©  Y )  «  p  ®  X  ©  p  ®  Y 
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Which  proves  H.2- 


Hk  =>■  'Hk®  1  ?  £ei  ws  suppose  Hk  for  a  given  k,  k  >  2.  Let  J  6e  a  set  of  k+1  integers.  By 

definition  of  E,  t/iere  is  some  j  in  J  such  as 

^-‘idjXi  =def  ©  Xj 

Hence, 

P  ®  ^i£jXi  =def  P  ©  (^iG  J\{j}^Q  ©  ) 

and 

SieJp  (8)  X,  =de/  T,ieJ\{j}p  ®Xi®p®  Xj 

Let  Z  =def  ^i^J\{j}Xi  and  T  =def  ‘i(zJ\{j}P  ©  Aj 

Sub  lemma  51  b  p®Z@p®XjPsT®p®Xj 

Proof  of  sub  lemma  51 

Hk  Using  “equ  ref” 

b  p®  Z  ps  T  \-  p  ®  Xj  k,  p  ®  Xj 
\-p®ZpsTAp®XjPsp®Xj 
b  p®  Z  ®p®  Xj  Ri  T  ©  p  ®  Xj 

Sub  lemma  52  b  p®  (Eie  j\{j}X.i  ©  Xj)  ps  TjieJ\{j}p  ®  X,  ®p®  Xj 


Proof  of  sub  lemma  52 

H-2  Using  51 

b  p®(Z®  Xj)  ttp®Z®p®Xj\-p®Z®p®XjttT@p®Xj  Using  “equ  trans” 
Up®{Z®Xj)^p®Z®p®XjAp®Z®p®Xj^T®p®Xj  b  ■ 

b  p®  (SieJ\{i}Ab  ©  Xj)  ps  E ieJ\{j}P  ©  Xt  ®p®  Xj 


which  proves  the  hypothesis. 

A. 3. 0.8  Variable  isolation  in  a  sum 

Proof  of  main  lemma  8  (Note  :  This  theorem/lemma  is  not  “static”,  cf.  6.2  page  27) By  in¬ 
duction  on  |/|. 

Let  Hk  be  the  hypothesis  “If  |/|  ©  k  then  b  '£ieIXi  ps  Y,ieI\{jyXi  ©  Xj” 

H 2  ?  b  X  ©  1"  «  X  ©  Y  and  b  X  ©  Y  ps  Y  ©  X 
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Hk  =>■  'Hk® i  ?  Let  I  be  a  set  of  integers  of  size  k+  1.  By  definition  of  E ,  iftere  is  an  integer  l 
in  I  such  as 

=def  ©  X/ 

Let  Zip)  =def  ^i£l\{p}Xi  and  T  =def  ^-hs/\{j,Z}Xj 


Sub  lemma  53  j  =  1  b  Z(l)  ©  Xi  «  Z(j)  ©  Xj 

Proof  of  sub  lemma  53 

j  =  l\-  Z(l )  «  Z(j)  j  =  /  b  Xi  w  X,  Using  “eq  add” 
3  =  Z(l )  «  Z(j)  AX|  «  X,  J  =  Z  b  ■ 
j  =  Z  b  Z(7)  ©  X,  «  Z(j)  ©  Xj 

Sub  lemma  5f  j  =  l  b  Eie/Xj  «  Z(j)  ©  Xj 


Proof  of  sub  lemma  5f 


Using  53 

j  —  l  Ej6/Xj  Xij  =  l  b  Z(/)  ©  Xi  ps  Z(j)  ©  Xj  Using  “eq  trans 

3  =  1  b  Eie/X,  «  gg  ©  X,  A  gg  0  X[  jjj  Z(j)  0  X,-  j  =  /  b  ■ 

J  =  l  b  E;e/X;  «  Z(j)  ©  Xj 

Siift  lemma  55  j  ^  l  b  Eie/Xj  «  T  ©  Xj  ©  X; 


Proof  of  sub  lemma  55 

Using  Hk  Using  “add  eq” 

j^lV  Z(l)  «  T  ©  Xj  j  ^  /  b  ■ 

j  ^  It-  Z{1)  ©  X;  ps  T  ©  Xj  ©  X;  j  ^  lt~  Eje/Xj  ~Z(I)®  X;  Using  “eq  trans 
j^lt~  E gg  «  Zgj  ©  X;  A  Z(g  ©  X;  ft!  r  ©  Xj  ©  X;  JgTFB 

j  it-  Ejg/Xj  kT©  Xj  ©  X; 

Shift  lemma  56  b  X  ©  (7  ©  T)  k  X  ©  (T  ©  E) 


Proof  of  sub  lemma  56 

Using  “eq  ref”  Using  “add  comm” 

b  X  «  X  E  ©  T  «  T  ©  E  Using  “equ  add” 

b  x  »XAE©r«r©E  b ■ 

b  X  ©  (E  ©  T)  «  X  ©  (T  ©  E) 
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Sub  lemma  57  b  X  ©  (Y  ©  T)  ft;  (A"  ©  T)  ©  Y 

Proof  of  sub  lemma  57 

Using  56  Using  “add  assoc” 

b  X  ©  (T  ©  Y)  «  X  ©  (y  ©  T)  b  (X  ©  T)  ©  Y  «  X  ©  (Y  ©  T)  Using  “equ  trans” 

b  x  ©  (t  ©  y)  «  x  ©  (y  ©  t)  a  (x  ©  t)  ©  y  «  x  ©  (y  ©  t)  Fi 

b  x  ©  (y  ©  T)  «  (x  ©  T)  ©  y 

Sbifo  lemma  58  bXffiYffiTwXffiT©  y 

Proof  of  sub  lemma  58 

Using  “add  assoc”  Using  57 

b  (X  ©  y)  ©  T  «  X  ©  (y  ©  T)  b  X  ©  (y  ©  T)  «  (X  ©  T)  ©  y  Using  “eq  trans” 

b  (x  ©  y)  ©  r  «  x  ©  (y  ©  r)  a  x  ©  (y  ©  t)  «  (x  ©  t)  ©  y  Fi 

b  (X  ©  Y)  ©  T  «  (X  ©  T)  ©  y 
lemma  59  j  ^  l  b  T  ©  Xj  ©  X;  ~  Z(j)  ©  Xj 

Proof  of  sub  lemma  59 

Using  58 

b  (T  ©  Xj)  ©  Xz  ft:  (T  ©  Xz)  ©  Xj  b  (T  ©  Xi)  ©  Xj  ft  Z (j)  ©  Xj  Using  “eq  trans 
j  f  l  b  (T  ©  Xj)  ©  X,  F  (T  ©  Xj)  ©  Xj  A  (T  ©  X,)  ©  Xj  ft  Z(j)  ©  Xj  j  ^  /  b  ■ 

iF^r©  Xj  ©  xt »  z(j)  ©  Xj 

Siib  lemma  60  j  f  l  \~  £ig/Xj  «  Z(j)  ©  Xj 

Proof  of  sub  lemma  60 

Using  55  Using  59 

j  f1 1  Sjg/Xj  ps  T  ©  Xj  ©  X;  T  ®  Xj  ®  Xi  ps  Z (j)  ©  Xj  Using  “eq  trans” 
j  f  l  b  Sjg/Xj  «  T  ©  Xj  ©  X;  A  T  ©  Xj  ©  X[  ps  Z(j)  ©  Xj  j  F  b  ■ 

j^lUYieIX2PsZ(j)(BXj 

Hence, 

Using  60  f  Using  54 

j^l\-Y^IXlPsZ{])®Xj  '  ]  =  l\-YmXi  ps  Z{g)®X3 
(j  =  lUj^l)\-YieIXlPsZ(j)®Xj 
b  SjgjXj  ft!  Z(j)  ©  Xj 

Which  proves  the  hypothesis. 
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A. 3. 0.9  Variable  resolution 


Proof  of  main  lemma  9  Let  A  =def  Eie/\{fc} Xi}  B  =def  T,ieI\{k}  ©  and  H  =def 
c  in 


Sub  lemma  61  H  b  A  ©  Xk  ps  c 

Proof  of  sub  lemma  61 

Using  “var  isol” 

H  U  A  ©  Xk  ps  T,ieIXi  H  U  E i^iXi  ps  c  Using  “equ  trans” 
H  b  A  ©  Xk  ps  Ejg/Aj  A  Ejg/Aj  ps  c  HUM 

H  b  A  ®  Afc  ~  c 


Sub  lemma  62  H  b  ps  c  ©  A 


Proof  of  sub  lemma  62 

Using  “add  comm”  Using  61 
H  b  Xk  ©  A  ps  A  ©  Xk  H  b  A®  Xk  ps  c  Using  “add  trans” 

H  b  Xk  ©  A  ps  A  ©  Xk  A  A  ©  Xk  ps  c  HUM  Using  “ sub  eq” 

H  U  Xk®  A  ps  c  HUM 

H  U  Xk  ps  c  ©  A 


Hence, 


Using  “mult  sum” 

HU  cps  c  HU  QA  ps  B  Using  “equ  add” 

Using  62  HU  cps  cUQAps  B _ HUM 

H  U  Xk  ps  c  Q_A _ HU  cQApsc®B 

_ H  U  Xk  pscQA/\cQApsc®B _ 

Eje/Ab  Eie/\{fc}©Aj 


Using  “equ  add” 
HUM 


A. 3. 0.10  0  Addition 


Proof  of  main  lemma  10 


Using  “0  add”  Using  “eq  ref” 
U  X  ©  0  «  X  Fi 
b  A  «  A  ©  0 
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A. 4  The  Omega  test 

A. 4. 0.11  Equality  normalization 

Proof  of  main  lemma  11  (Note  :  This  theorem/lemma  is  not  “ static cf.  6.2  page  27) Let 
S  =def  Eie[i  .n]ai  <g>  Xi}  T  =def  Ei6[i)n]^  <g>  Xi  and  U  =def  Eie[i ,n]p  <g)  f  <g>  X{.  Let  us  suppose 
p\ai,p\a2,...p\an. 

Sub  lemma  63  b  S  «  U 

Proof  of  sub  lemma  63  DDT: Trivial  but  long.  To  do. 

Sub  lemma  64  b  S  ~  p  <g)  T 
Proof  of  sub  lemma  64 

Using  63  Using  “mult  sum” 
b S ^U  hU^p®T 
b  S  U  A  U  «  p®T 
b  S  PS  p®T 

Hence, 

Using  “0  add”  Using  “eq  ref” 

Using  64  b  p  <g)  T  ©0  «  p  ®T  b  ■ 
b  S  ^p®T  bp®T^j)®r©0 

b,S«p(g>TAp<g)T^p<g)T©0 

b  S ^p®T® 0  b  0  <  0 

bo<OAO<pAS«p®r®o 
b35,  0<&A6<pAS'^p<g)T©& 
p|ai  Ap|a2  A  .  ..p\an  b  (E^i^a*  ®  Xi)\p  «  Ei6[iin]^  <8)  -XT* 

Proof  of  algorithm  step  1  (Note  :  This  theorem/lemma  is  not  “static”,  cf.  6.2  page  27) Let 
H  =deg  Ejg[i)n]aj  ©  Xi  c,  S  =deg  E^^)nj(X^.  g)  Xi  and  T  =de^  —  g)  -A^.  Z/6t  ws  suppose 

p\ai,p\a2,  ■  ■  ■  p\an. 

Sub  lemma  65  H  b  S  ~  p  <g)  |_^J 
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Proof  of  sub  lemma  65 


Using  “mult  on  Z” 
H  b  c  «  p  ■  [^\H  b  p  •  |JJ  «  p  <g>  L^J 

if  hc«p-  |JJ  Ap-  |JJ  |JJ 

H  b  S  ft!  C  If  b  C  «  p  ®  |_|J 

hiS  ~cAc~p®  LpJ 

H  b  S'  ^p<g>  L^J 


Using  “eq  trans 

//  b  ■ 


5ub  lemma  66  H  b  5*\p  ~  |_pj 
Proof  of  sub  lemma  66 

Using  65  Using  “0  add2” 

H  b  S'  «  p  ®  L^J  H  b  p  (8)  L^J  ~  p  0  |_“J  ©  0 
H  b  5  «  p  (8)  |JJ  A  p  0  |_|J  ~  p  0  L^J  ©  0 
ifb,S'f«p0|_|J©O 
ffbOffbb<p  ifb£'«p0|JJ©O 

ffbO<OA6<pAS'^p0|_^J©O 
H  \~  3b,  0  <  b  A  b  <  p  A  S  m  p  ®  [^\  (B  b 
H  b  5\p  «  L?J 


Using  “div  sum”  Using  “eq  ref” 

H  b  5\p  ~  T  H  b  ■  Using  66 

H  b  T  «  S\p  H  b  S\p  «  L^J 

H  b  T  «  S>  A  5\p  «  [Jj 
H  K  T  «  l|J 


A. 4. 0.12  Unsatisfiable  equality 

Proof  of  algorithm  step  2  (Note  :  This  theorem/lemma  is  not  “static”,  cf. 
H  =def  p\ai  A  p\a2  A  ...  A  p|an  A  S*=^a,  ©  A*  «  c  and  S  =def  ©  A*. 


5ub  lemma  67  H  b  S^p  ~  0 


£.2  page  27) Let 
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Proof  of  sub  lemma  67 


Using  64  Using  “0  add2” 

H  U  S  re  p  ®  S\p  H  U  p  ®  5*\p  «  p  ®  5\p  ©  0 
H  U  S'  «  p  ©  Ap®  5\p  «  p  ©  S^p ©  0 
bO<ObO<p  iJb5'^p(g)|JJ©0 

i/bO<OAO<pAS,~p©  |_^J  ©  0 
H  U  3Y,  0<0A0<pA5«p®y©0 
H  b  S%p  «  0 


5^6  lemma  68  i/bc~p®  S'Yp 


Proof  of  sub  lemma  68 

Using  64 

H  \-  S  ^cffbp®  >S\p  ^  £  Using  “eg  trans” 

H  b  p®  S\p  siSASwc  #  b  ■  Using  “eg  ref ” 

HU  p®S\p^c  HUM 

H  U  c  re  p  ©  S\p 


Sub  lemma  69  H  U  c%p  re  0 


Proof  of  sub  lemma  69 

Using  68  Using  “0  add2” 

HU  ere  p®  S\p  p  ®  S\p  re  p®  S\p  ©  0  Using  “eg  trans” 
H  U  c  re  p  ®  S\p  A  p®  S\p  re  p®  S\p  ©  0  HUM 
HUO<OHUO<p  H  U  c  re  S\p  ©  0 

i/bO<OAO<pAc~p©  S\p  ©  0 
H  U  3Y,  0<0A0<pAcrep®Y(B0 
H  U  c%p  re  0 


Hence, 


Using  69 

H  b  c%p  re  0  Using  “isdiv  in  Z” 
H  Up  ||  c  HUM 

H  Up\c 
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A. 4. 0.13  Inequality  tightening 


Proof  of  algorithm  step  3  (Note  :  This  theorem/lemma  is  not  “static”,  cf.  6.2  page  27) Let 
H  0  ^  fc  Ac  ~  ^ iel^i  Z1  X^  ®  k,  S  =def  T  —def  Z  -A i  CLTld  d  =(fe/ 

L^J  -  L^J  ■  Let  us  suppose  p\ai,p\a2,  .  ..p\an. 

Sub  lemma  70  H  U  S  ~  p  Z  (|_^J  ©  r)  ©  d 

Proof  of  sub  lemma  70 

Using  “eq  sub” 

H  U  c  ^  S  ®k  HUM  Using  “eq  ref” 

H  U  c  Q  k  &  S  HUM  Using  “eq  norm ” 

HU  S^cQk  HUM 

HUT  ze  L^J 

hut^  [c-\  ed 

HUT®d^[^\ 


Hence, 


Using  70 
HUT@dp*\± 


Using  “eq  ref” 
H~UM 


HU[^\^T®d  HU0<d 

H  U  0  <  d  A  ~  T  ©  d 


H  U  3a,  0  <  a  A  [pj  ~  T  ©  a 

n  i-  t  s  L|J 


A. 4. 0.14  Real  shadow 


Proof  of  main  lemma  12  Let  H  =def  0  <  t  AY  m  X  ®t  AO  <  Z  A  Z  zs  z  ®0 


Sub  lemma  71  U  Z  ®  t  zs  z  ■  t 


Proof  of  sub  lemma  71 


Using  “mult  eq” 

H  U  Z  ze  z  HUM  Using  “mult  on  7L” 

H  U  Z  ®t  zs  z  Zt _ HUzZt^z-t 

HU  Z®t^zZtAzZt^z-t 
H  U  Z  ®t  m  z  ■  t 
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Sub  lemma  12  HU  Z®{X®t)psZ®X®z-t 


Proof  of  sub  lemma  12 


Using  71  Using  “add  eq” 

Using  “mult/add  dist”  HU  Z®tpsz-t  hB 

H  U  Z  <g>  (X  ©  t)  «  (Z  ®  X)  ©  (Z  ®  t)  H  U  (Z  ®  X)  ©  (Z  <g>  t)  w  Z  ®  X  ©  z  •  t 
H  U  Z  (8)  (A"  ©  t)  «  (Z  <8)  A")  ©  (Z  <®  t)  A  (Z  <8>  X)  ®(Z®t)«Z®X©z-t 

i7hZ®(A"©t)^Z®X®2;-t 

5-u&  lemma  13  H  U  Z  <g)  y  «  Z  ®  X  ©  z  ■  t 


Proof  of  sub  lemma  13 


Using  “mult  eq” 

HUY  ps  X  ©  t  H  h  ■  _ Using  72 _ 

H  U  Z  ®  Y  ps  Z  ®  (X  ©  t)  H  U  Z  ®  (X  ®t)  ps  Z  ®  X  ®  z -t 
HUZ®Y^Z®(X®t)AZ®(X®t)ttZ®X®z-t 
H  U  Z  ®Y  ps  Z  ®  X  ®  z  -  t 


Hence, 


Using  71 

H  U  Z  ®  y  pa  Z  ®  X  ©  z  -t  HUO  <  z 
H  U  0  <  z  -t  A  Z  ®Y  ps  Z  ®  X  ©  z  -t 
3  z,  t,  H  U  3a,  0<aAZ®YpsZ®X(Ba 
X<YAt)AZUZ®X<Z®  Y 


Proof  of  algorithm  step  4  Let  H  =def  a®Z<AAB<b®Z 


Sub  lemma  If  HUa®Bf1a®{b®Z ) 


Proof  of  sub  lemma  If 

H  U  0  <  a 

H  U  0  ^  a  H  U  B  f>b  ®  Z  Using  “mult  ineq” 

HU0^~aAB^b®Z  HUM 

HU  a®B<a®(b®Z) 


Sub  lemma  15  HU  (a  ®b)®Zf1a-b®Z 
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Proof  of  sub  lemma  15 


Using  “mult  on  7L” 

H\- (a  ®b)~b®Z  Using  “It  as  leq” 
H  h  (a  ®b)®Z^a-b®Z  H  h  ■ 

H  \-  (a  ®b)®Z^a-b®Z 

Sub  lemma  76  H  a  ®(b®Z)<a-b®Z 


Proof  of  sub  lemma  76 

Using  “mult  assoc”  Using  “It  as  leq” 

Using  15  H  b  a  ®  (b  ®  Z)  «  (a  ®b)  ®  Z  H  b  ■ 

H  h  (a  ®b)  ®  Z  ^  a  ■  b  ®  Z  H  \-  a®  (b®  Z)  <  (a®b)  ®  Z  Using  “ leq  trans” 

H\- (a  ®b)®Z^<a-b®Z/\a®(b®Z)zf  (a  ®b)®Z  H  h  ■ 

H  \-  a  ®  (b  ®  Z)  -<  a  •  b  ®  Z 


Sub  lemma  77  H\~a®B<a-b®Z 

Proof  of  sub  lemma  77 

Using  74  Using  76 

H\-a®B<a®(b®Z )  H\~a®(b®Z)f1a-b®Z  Using  “leq  trans ” 
H\~a®BNa®(b®Z)/\a®(b®Z)f1a-b®Z  H  h  ■ 

H  \-  a®  B  A  a  ■  b  ®  Z 

Sub  lemma  78  H  \-  a  ■  b  ®  Z  N  b  ®  A 

Proof  of  sub  lemma  78  The  proof  is  very  similar  to  that  of  lemma  77 


Using  77  Using  78 

H  \~  a  ®  B  N  a  ■  b  ®  Z  H\~a-b®Z^<b®A 
H  \~  a®  B  -<a-b®Z/\a-b®Z  ^b  ®  A 
a®  Z  -<  A  A  B  Nb®Z\~a®B  N  b  ®  A 


A. 4. 0.15  Exhaustive  check 

Proof  of  algorithm  step  5  (Note  :  This  theorem/lemma  is  not  “static”,  cf.  6.2  page  27)Let 
H  =def  0  <  /A(a  —  l)-(b—  1)  ~  b®A®a®B®l AO  <  k/\A  ~  a<g)£©/cA0  <  m/\b®f  ~  B@m. 
Suppose  1  <  a  A  1  <  b. 
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Sub  lemma  79 
Proof  of  sub  lemma  79 

Using  “mult  on  Z”  Using  “eg  mult” 

U  a®  m  ~  a  ■  m _ U  M 

U  a®m®a®B^a-m®a®B 

Sub  lemma  80  HU  BBBm^b®^ 

Proof  of  sub  lemma  80 

Using  “eq  as  ineq” 

HUB®m~b®£  HUM 

H  U  B  ©  m  <b  ®  £ 

Sub  lemma  81 

Proof  of  sub  lemma  81 

Using  “add  comm”  Using  “eq  as  ineq” 

U  I  Using  80 

_ hu_  m  ©  B  -<  B  ©  m  H  U  B  ®m  <b®  8,  Using  “leq  trans” 

ffhm©B^flffimA5©m^6®(  HUM 

HU  m®  B  f.b®  £ 

Sub  lemma  82  H  U  a  ®  (m  ®  B)  ^  a  ®  b ®  £ 

Proof  of  sub  lemma  82 

Using  “leq  on  Z” 

Using  81  H  h  0  <  a  HUM 
HUm®Bf1b®8,  H  U  0  a  Using  “eq  mult” 

HUm®B®b®^/\t)®a  HUM 

H  U  a  ®  (m  ©  B)  ■<  a®b®  8, 

Sub  lemma  83  H  U  a  ®  m®  a  ©  B  ■<  a  ®  (m  ©  B) 

Proof  of  sub  lemma  83 

Using  “add/mult  dist”  Using  “eq  as  ineq” 

HUa®m®a®B^a®(m®B)  HUM 

H  U  a  ®  m  ©  a  ®  B  -<  a  ®  (m  ©  B) 
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Sub  lemma  84 

Proof  of  sub  lemma  84 

Using  83  Using  82 

H  U  a®m®  a®  B  -<  a®  (m  ®  B)  H  U  a  ®  (m  ©  B)  U  a®b®£  Using  “leg  trans” 
HUa®m®a®BUa®(m®B)Aa®(m®B)Ua®b®£,  HUM 

HUa®m®a®BUa®b®£, 

Sub  lemma  85  H  U  a  ■  m®  a®  B  U  a®b®  £, 

Proof  of  sub  lemma  85 

Using  79  Using  “eq  as  ineq” 

ha®  m®a®B  mg  - m®a®B _ U  M  _ Using  84 _ 

HU  a  ®m®a®BUa-m®a®B  HUa®m®a®BUa®b®4,  Using  “leq  tran 

HUa®m®a®BUa-m®a®BAa-m®a®BUa®b®£  HUM 

HUa-m®a®BUa®b®4, 

Sub  lemma  86  U  a  ■  b®  £  ■<  a  ®  b  ®  £ 

Proof  of  sub  lemma  86 

Using  “mult  on  Z”  Using  “eq  mult” 

U  a-  b  ~  a®b _ U_M  Using  “eq  as  ineq” 

Ua-b®^^a®b®$,  HUM 
U  a  ■  b®  £  A  a  ®b  ®  £ 

Sub  lemma  87  H  U  m  ■  a®  a®  B  U  a  ■  b  ®  £ 

Proof  of  sub  lemma  87 

Using  85  Using  86 

HU  a  -  m®a®BUa®b®£  HUa-b®£Ua®b®£  Using  “leq  trans” 

HU  a-m®a®B^a®b®£Aa-b®£^a®b®£,  HUM 
HUa-m®a®BUa-b®£ 

Sub  lemma  88  HUb®(a®£)Ub®A 
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Proof  of  sub  lemma  88 


Using  “leg  on  Z” 

H  U  0  <  b  H  b  ■ 

bag^bi  H  U  0  A  b  Using  “ineq  mult” 

HUa®C,^AAO^b  HUM 

H  b  b®  (a  (8)  £)  Ab®  A 


Sub  lemma  89  HUa®b®£Ab®A 


Proof  of  sub  lemma  89 


Using  “mult  assoc”  Using  “eq  as  ineq” 
Using  88  HUb®a®^^b®(a®^)  HUM 

HUb®(a®()Ab®A  HUb®a®£Ab®(a®£) 

H  U  b®  (a  <8>  £)  Ab®AAb®a®£  b  ®  (a  ®  £) 
HUb®a®£Ab®A 
HUb®a®£Ab®A 


Sub  lemma  90  H  U  a  ■  b  ®  £  A  b  ®  A 


Proof  of  sub  lemma  90 

Using  86  Using  89 

HUa-b®£Aa®b®£  HUb®a®£Ab®A  Using  “leq  trans” 
HUb  - a  ®^Ab®a®C,Ab®a®8,Ab®A  HUM 

H  U  a  ■  b  ®  £  A  b®  A 


Sub  lemma  91  HUm-af1b®AQa®B 


Proof  of  sub  lemma  91 

Using  87  Using  90 

HUm-a®a®BAa-b®C,  HUa-b®£Ab®A 
H  U  m  ■  a®  a®  B  A  a  ■  b  ®  ^  Aa  ■  b  ®  t;  <b  ®  A  Using  “sub  eq” 
HU  m-a®a®BAb®A  HUM 

HU  m-aAb®A®a®B 


Sub  lemma  92  H  U  m  ■  a  A  (a  ■  b  —  a  —  b) 
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Proof  of  sub  lemma  92 


H  b  0  <  l  H\- (a -  b  —  a  —  b)mb®AQa®B®l 
HhO<lA(a-b  —  a  —  b)  «  b  ®  Aq  a  ®  B  ©  l 
Using  91  H  h  3n,  0  <  n  A  (a  ■  b  -  a  ~  b)  «  b  ®  A  ©  a  ®  B  ©  n 

H  \-  m  ■  a  ®b®  Aq  a®  B  H  \-  b  ®  Aq  a  ®  B  A  (a  ■  b  —  a  —  b) 

Hhm-aAb®AQa®BAb®AQa®B  Q  (a  ■  b  —  a  —  b) 

H  b  m  ■  a  A  (a  •  b  —  a  —  b) 


Hence, 

Using  92  Using  “leg  on  Z” 

H  b  m  ■  a  Q  (a  ■  b  —  a  —  b)  HUM 
H  b  0  <  m  H  h  m  ■  a  <  (a  ■  b  —  a  —  b)  H\~b®£~BQm 

H  \~  0  <  m  Am  ■  a  <  (a  ■  b  —  a  —  b)  Ab®  £,  «  B  ©  m 
H  b  0  <  i  Ai  ■  a  <  (a-b  —  a  —  b)Ab®C,^BQi 


B  Proofs  on  Solver2FOL 

B.l  Expression  through  Disjunctive  Normal  Form 

Property  2  Let  ]  —  R,  R]  be  the  range  of  representable  integers  for  a  given  computer. 

Let  us  consider  function  t  :  x  i— >  2X 

In  Solver2FOL ’s  language,  any  expression  of  function  f  as  a  Disjunctive  Normal  Form 
(DNF)  which  is  exact  on  [0,/?]  will  require  at  least  R/ 4  elementary  conjunctions. 

Proof  of  property  2  Suppose  that  t  can  be  represented  on  [0,  R]  as 

i—n 

T(x,y)  =def  \/  Ci{x,y) 

i=  1 

where 

T(x,y )  =  y  =  t(x) 

and  Ci(x,y )  is  a  conjunction  of  elementary  (linear)  constraints. 

Suppose  n  <  R/ 4. 

This  means  that  at  least  one  Cfx,y )  will  hold  a  constraint  which  will  be  valid  for  at  least 
3  values  of  x.  Additionally,  since  Cfx,y)  is  in  normal  form,  this  means  that  these  constraints 
define  an  integer  interval  and  that  the  value  of  y  will  be  defined  by  the  same  formula. 
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In  other  words. 


y  =  a  ■  x  +  b 
2  ■  y  =  a  ■  (x  +  1)  +  b 
4  ■  y  =  a  ■  (x  +  2)  +  b 


A  resolution  of  this  system  gives  : 


a  =  0,  b  =  0,  y  =  0 

Since  all  values  of  x  considered  are  in  [0,  R],  we  necessarily  have  y  >  0.  Hence,  contradic¬ 
tion. 

Since  n  >  R/A ,  there  are  at  least  R/ 4  elementary  conjunctions. 
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